Exploit Released for Galaxy Store Flaw That Let Attacker Install Malware

Researchers from the NCC Crew detected two flaws within the Galaxy App Retailer application between November 23 and December 3, 2022.

Two flaws in Samsung’s reliable app store, the Galaxy App Retailer, would possibly well perchance per chance let attackers install any app with out the user’s files or lead users to a malicious internet web page online.

Technical Predominant points of the Safety Flaws

• Tainted salvage entry to adjust can also enable native attackers to install gains from the Galaxy App Retailer (CVE-2023-21433)

Researchers say the Galaxy App Retailer became stumbled on to bask in an exported activity that doesn’t securely direction of incoming intents. This allows diversified apps working on the same Samsung machine to robotically install any application from the Galaxy App Retailer.

The proof-of-theory (PoC) equipped by NCC’s analysts is an “ADB” (Android Debug Bridge) clarify that tells an app inform to install the “Pokemon Toddle” recreation by submitting an intent to the app store with the specified target application.

In this case, the intent can also merely furthermore specify whether or now not or now not the newly place in application must be opened, giving probability actors extra options for the capacity to create the assault.

“A pre-place in rouge application on a Samsung machine working Android 12 or under can abuse this field to install any application for the time being accessible on the Galaxy App Retailer”, NCC reports.

Samsung has upgraded the Galaxy App Retailer for devices working Android versions 12 or lower (model 4.5.49.8). Android 13 smartphones are unaffected by this wretchedness.

• Tainted input validation can also enable native attackers to raise out JavaScript by launching a internet internet web page online (CVE-2023-21434)

It became stumbled on that a webview at some level of the Galaxy App Retailer integrated a filter that restricted the URLs it’ll also browse. The filter, nonetheless, became improperly set up up, permitting the webview to navigate to a neighborhood that the attacker-controlled.

“Either tapping a malicious hyperlink in Google Chrome or a pre-place in rogue application on a Samsung machine can bypass Samsung’s URL filter and delivery a webview to an attacker-controlled domain”, NCC explains.

The proof-of-theory (POC) demonstrated within the quest for contains a hyperlink that, when clicked from Chrome, opens a internet web page online with malicious JavaScript and executes it on the target machine.

In this case, the “player.glb.samsung-gamelauncher.com” fragment of the malicious domain is the handiest requirement for this attack. Any domain can also merely furthermore be registered and added as a subdomain by an attacker.

An as a lot as this level model of the Galaxy App Retailer has been made accessible by Samsung (model 4.5.49.8).

It is suggested that users must quiet salvage entry to the Galaxy App Retailer, and if requested, get and install essentially the most most standard model.