At the end of December last year, NCC Group cybersecurity experts discovered vulnerabilities in the Samsung Galaxy App Store and warned the manufacturer about it. On January 1, the company released an updated version of the client (4.5.49.8), and now the researchers have released the technical details of the incident.

The first vulnerability, designated CVE-2023-21433, deals with improper access control and allows arbitrary applications to be installed on the victim's device. The second was registered under the number CVE-2023-21434 - it is characterized as a code error vulnerability and allows the execution of malicious JavaScript code on the target device.

To exploit the first vulnerability, local access to the victim's device is required, but, according to experts, this is not a problem for experienced attackers. As a demonstration, the researchers showed how to bypass the owner to install the Pokemon Go gaming application on the gadget, although hackers could choose something more dangerous. Devices running Android 13 are not affected, even in combination with the outdated store client, but in practice this will not help much yet: according to AppBrain analytics, only 7% of all Android devices are controlled by the latest version of the platform, and unsupported versions of the system (Android 9.0 and older) hold 27% of the market.

The second vulnerability concerns the operation of the webview component (built-in browser) of the Galaxy App Store - it supports a limited number of domain names. But before the vulnerability was fixed, the filter was configured incorrectly, which made it possible to bypass restrictions and open pages at addresses controlled by potential hackers, into which malicious JavaScript code could be embedded.