All Samsung Galaxy owners need to have the latest version of the Galaxy Store on their phones

Researchers at NCC Group, the cybersecurity firm, discovered vulnerabilities in the Galaxy Store, the app storefront that is available only to those with a Samsung Galaxy handset. The vulnerabilities were found between November 23 and December 3, 2022, and could have allowed an attacker to install any app from the Galaxy App Store on a Galaxy phone without the user's knowledge.

This flaw was assigned a Common Vulnerabilities and Exposures number of CVE-2023-21433. By giving each vulnerability a CVE number, it helps researchers track them and Google cites these numbers when it reveals which flaws have been patched in its monthly Android updates. The second flaw is CVE-2023-21434, which allows attackers to execute JavaScript on a Galaxy handset.

The report notes that depending on what the attacker has in mind, an attack exploiting the vulnerabilities could allow the bad actors to access personal data and could also result in apps crashing. If the attacker uploads a malicious app to the Galaxy Store before exploiting the flaws, he could install that app on a Galaxy smartphone without the owner's knowledge. And that could lead to serious security issues.

Setting off the attack, the user could tap on a malicious hyperlink appearing on the Google Chrome browser (using a Samsung Galaxy phone), or a rogue app pre-installed on a Galaxy handset could get through Sammy's URL filter and launch a webview to a domain controlled by the attackers.

The report from NCC states, "It was found that the Galaxy Store has an exported activity which does not handle incoming intents in a safe manner. This allows other applications installed on the same Samsung device to automatically install any application available on the Galaxy Store without the user’s knowledge." The report also says, "A pre-installed rouge application on a Samsung device running Android 12 or below can abuse this issue to install any application currently available on the Galaxy Store."

CVE-2023-21433 can not be exploited on Samsung phones running Android 13 thanks to security features that are part of the latest build of Google's mobile operating system. Additionally, on the very first day of 2023, Samsung announced that it had patched the two vulnerabilities and released version 4.5.49.8 of the Galaxy Store.

Make sure that you have the latest version of the Galaxy App Store running on your Galaxy-branded phone even if the device is running Android 13. That's because there could be other issues related to the older build of the Galaxy Store that can't be neutralized by the security features on Android 13.

To update the Galaxy Store on your phone, open the Galaxy Store app and you should see a notification with a button that says Update. Tap on that button and follow the directions. If you don't see the notification, after opening the app go to Menu > Settings. Tap on About Galaxy Store and press on the update button. Since the update was released on January 1st, there is a good chance that you've already installed the update.

Those who own older Samsung Galaxy phones that no longer have support from Samsung could be out of luck. That's because they would not receive an update for the Galaxy Store and their version of the app storefront could contain the flaws. In this case, you could buy a new phone or you might want to disable the Galaxy Store from your phone. But that isn't a good solution either since updates for Samsung apps for your device come through the Galaxy Store.

If buying a new phone is out of the question, keep checking the device to make sure that there aren't any apps installed that you don't recall downloading (outside of the apps that Samsung pre-installed on the handset).