Samsung fixes two vulnerabilities in the Galaxy App Store
Software

Samsung fixes two vulnerabilities in the Galaxy App Store – they allow you to stealthily install applications and run malicious code

At the end of December last year, the NCC Group’s cybersecurity experts discovered vulnerabilities in the Samsung Galaxy App Store and warned the manufacturer about them. On January 1st, the company released an updated version of the client (4.5.49.8), which the researchers have now released technical details Incident.

    Image source: Gerd Altmann / pixabay.com

Image source: Gerd Altmann / pixabay.com

The first vulnerability has been identified CVE-2023-21433 – It is improper access control and allows you to install arbitrary applications on victim’s device. The second is registered under the number CVE-2023-21434 – It is known as Code Invalidation Vulnerability and allows execution of malicious JavaScript code on the target device.

Exploiting the first vulnerability requires local access to the victim’s device, which experts say is not a problem for experienced attackers. As a demonstration, the researchers showed how to bypass the owner to install the Pokemon Go gaming application on the gadget, although hackers might choose something more dangerous. Devices running Android 13 are not affected even in combination with the outdated Store client, but in practice that doesn’t help much: according to AppBrain Analytics, only 7% of all Android devices are controlled by the latest version of the platform, and Unsupported versions of the system (Android 9.0 and older) hold 27% of the market.

The second vulnerability affects the operation of the Webview component (built-in browser) of the Galaxy App Store – it supports a limited set of domain names. However, before the vulnerability was fixed, the filter was misconfigured, which made it possible to bypass restrictions and open pages on addresses controlled by potential hackers, into which malicious JavaScript code could be embedded.

About the author

Robbie Elmers

Robbie Elmers is a staff writer for Tech News Space, covering software, applications and services.

Add Comment

Click here to post a comment