If you own a Galaxy smartphone, there are vulnerabilities in the Galaxy Store app that let attackers install any app on a Galaxy Phone without your knowledge. The vulnerabilities were found by researchers at NCC Group, the cybersecurity firm, between November 23 and December 3, 2022, and the flaw was assigned the Common Vulnerabilities and Exposures number CVE-2023-21433.
The CVE number helps researchers keep a track of the flaw or vulnerabilities, and Google cites these CVE numbers in the changelog if it has patched the flaws in the monthly Android updates. There is a second flaw, which has been assigned CVE-2023-21434, and it allows attackers to execute JavaScript on a Galaxy handset.
According to the research report, the attacker can easily allow bad actors to access personal data, which could also result in the app crashing. Because of these vulnerabilities in the Galaxy Store app, an attacker can install any app on the user's Samsung phone without their knowledge, and it poses a huge security risk.
Samsung has already released an updated version that fixes two vulnerabilities
NCC shared that an ADB (Android Debug Bridge) instructs an app to install the “Pokemon Go” app by submitting an intent to the app store with the desired target application. The intent also gives information on whether the app was opened or not after the installation, giving attackers more choices in attacking the users. Researchers found that the webviews in the Galaxy Store contain a filter that isn't properly configured.
Tapping the malicious link on Google Chrome or via a pre-installed rogue application on a Samsung device can bypass the URL filter and launch a webview that is controlled by the attacker.
Unfortunately, not all Samsung devices cannot upgrade the Galaxy Store app to its latest version. However, if you have a Galaxy device running Android 13, then CVE-2023-21433 cannot exploit your device, thanks to the security features of the OS. Samsung released a new version 4.5.49.8 on the very first day and announced that it had patched two vulnerabilities in the Galaxy Store. So, if you haven't updated the Galaxy Store app on your Android 13 running Galaxy phone, we would suggest you do that right away.