Galaxy Store flaws can be exploited by hackers — update your Samsung phone now
Flaws can be used to install other Galaxy Store apps or to take users to malicious sites
Two vulnerabilities have been discovered in Samsung’s official Android app store that can be exploited by hackers to install apps on a user’s device without their consent or to take them to malicious websites.
Discovered by researchers from the NCC Group at the end of last year, Samsung released a fix for both flaws on January 1 of 2023 and the Korean hardware giant also rolled out a new version of its Galaxy Store.
Now that both flaws have been patched, the NCC Group has released technical details for the vulnerabilities along with proof-of-concept (PoC) exploit code for each of them. Fortunately, local access is required to exploit them which means a hacker would need to have one of the best Samsung phones in hand to launch an attack.
Forced app installs
The first flaw (tracked as CVE-2023-21433) in the Galaxy Store is an improper access control vulnerability that can be exploited by hackers to install any app available on the store onto a user’s device without their consent.
Unlike with the Google Play Store, the Galaxy Store doesn’t handle incoming intents the same way and this allows other apps on a Samsung phone to send arbitrary app installation requests. To make matters worse, a hacker could also use this flaw to have a new app opened immediately after installation.
The second flaw (tracked as CVE-2023-21434) is an improper input validation that can be exploited to execute JavaScript on a victim’s device. While security researchers at the NCC Group found that webviews in the Galaxy Store have a filter that limits which domains can be shown, it isn’t properly configured and can be bypassed by an attacker to take unsuspecting users to malicious domains. These sites could be used for phishing or even to infect vulnerable devices with malware.
As BleepingComputer points out though, an attacker could leverage these flaws to access sensitive information stored on a victim’s Samsung phone but it could also lead to data or privacy breaches.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
How to stay safe if you own a Samsung phone
If you own a Samsung phone, you should update the Galaxy Store to the latest version right now.
To do so, you first need to open the Galaxy Store app and click on Menu and then Settings. From here, tap on About Galaxy Store to download the latest version. Keep in mind though, you won’t be able to update it if your phone is low on storage so you may want to free up storage on your phone first.
It’s also worth noting that Samsung phones running Android 13 aren’t vulnerable to the first flaw due to additional security protections included in the latest version of Android. However, older Samsung devices that aren’t supported anymore remain vulnerable to both flaws but hopefully the company is working on a fix for this as well.
For additional protection though, you should install one of the best Android antivirus apps on your phone and ensure that Google Play Protect is enabled on your device.
We’ll likely hear more from Samsung regarding these flaws now that the NCC Group has published technical details on them and a fix has been rolled out.
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.