MobileNews

Samsung Galaxy Store vulnerabilities left a hole for attackers to install apps and more

Galaxy Store vulnerabilities

You should update the Galaxy Store on your Samsung smartphone and/or tablet immediately, as a security hole leaves your device at potential risk.

Cybersecurity researchers at NCC Group this week revealed two major security vulnerabilities affecting the Galaxy Store app store that ships on Samsung’s Android smartphones and tablets. Both vulnerabilities have since been fixed, but you’ll need to update the store to apply the fixes.

The first issue, CVE-2023-21433, is caused by “improper access control” in the Galaxy Store and allows malicious parties to install apps on a user’s device without their knowledge. That app must be available through the Galaxy Store in the first place, though, and the issue only affects Android 12 and prior – Samsung Galaxy devices upgraded to Android 13 are immune to this particular issue.

It was found that the Galaxy App Store has an exported activity which does not handle incoming intents in a safe manner. This allows other applications installed on the same Samsung device to automatically install any application available on the Galaxy App Store without the user’s knowledge.

The impact of this particular issue is relatively minor due to the fact that it can only install apps from a relatively safe app store, but it is important to fix nonetheless.

The other issue that NCC Group found, CVE-2023-21434, also had potential to cause issues. The Galaxy Store’s webview filter was not properly configured and allows for malicious domains to be accessed as long as they had similar elements to an approved URL. The main worry here came from JavaScript attacks, which could have been loaded.

Both of these security issues were fixed in Galaxy Store version 4.5.49.8 which is available now.

More on Samsung:



Author: Ben Schoon
Source: 9TO5Google

Related posts
AI & RoboticsNews

DeepSeek R1-0528 arrives in powerful open source challenge to OpenAI o3 and Google Gemini 2.5 Pro

AI & RoboticsNews

Emotive voice AI startup Hume launches new EVI 3 model with rapid custom voice creation

AI & RoboticsNews

FLUX.1 Kontext enables in-context image generation for enterprise AI pipelines

CryptoNews

Russian Couple Kidnapped in Crypto Trap—Escape Sets off Global Hunt

Sign up for our Newsletter and
stay informed!