Skip to main content

Samsung Galaxy Store vulnerabilities left a hole for attackers to install apps and more

You should update the Galaxy Store on your Samsung smartphone and/or tablet immediately, as a security hole leaves your device at potential risk.

Cybersecurity researchers at NCC Group this week revealed two major security vulnerabilities affecting the Galaxy Store app store that ships on Samsung’s Android smartphones and tablets. Both vulnerabilities have since been fixed, but you’ll need to update the store to apply the fixes.

The first issue, CVE-2023-21433, is caused by “improper access control” in the Galaxy Store and allows malicious parties to install apps on a user’s device without their knowledge. That app must be available through the Galaxy Store in the first place, though, and the issue only affects Android 12 and prior – Samsung Galaxy devices upgraded to Android 13 are immune to this particular issue.

It was found that the Galaxy App Store has an exported activity which does not handle incoming intents in a safe manner. This allows other applications installed on the same Samsung device to automatically install any application available on the Galaxy App Store without the user’s knowledge.

The impact of this particular issue is relatively minor due to the fact that it can only install apps from a relatively safe app store, but it is important to fix nonetheless.

The other issue that NCC Group found, CVE-2023-21434, also had potential to cause issues. The Galaxy Store’s webview filter was not properly configured and allows for malicious domains to be accessed as long as they had similar elements to an approved URL. The main worry here came from JavaScript attacks, which could have been loaded.

Both of these security issues were fixed in Galaxy Store version 4.5.49.8 which is available now.

More on Samsung:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Schoon Ben Schoon

Ben is a Senior Editor for 9to5Google.

Find him on Twitter @NexusBen. Send tips to schoon@9to5g.com or encrypted to benschoon@protonmail.com.