Researchers have disclosed vulnerabilities in Samsung’s Galaxy Store app for Android that could be exploited by an attacker to install arbitrary apps or direct prospective victims to fraudulent landing pages on the web.
The issues were tracked as CVE-2023-21433 and CVE-2023-21434. Samsung classified the bugs as moderate risk.
Samsung Galaxy Store, previously known as Samsung Apps and Galaxy Apps, is a dedicated app store used for Android devices manufactured by Samsung.
The first bug is CVE-2023-21433, which could enable an already installed rogue Android app on a Samsung device to install any application available on the Galaxy Store. Articulated as improper access control by Samsung that it said has been patched with proper permissions to prevent unauthorized access. It affects Android version 12 and before.
The second vulnerability, CVE-2023-21434, is an instance of improper input validation occurring when limiting the list of domains that could be launched as a WebView from within the app, effectively enabling a threat actor to bypass the filter and browse to a domain under their control.
Researchers from the NCC group identified these vulnerabilities and informed Samsung during November 2022, and an update released fixes in version 22.214.171.124 shipped earlier this month as a part of January 2023 fixes