These security flaws could let hackers install anything they wanted in the Samsung Galaxy App Store

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Samsung has patched two vulnerabilities in its mobile app marketplace that could have allowed threat actors to install any app on a target mobile device without the device owner’s knowledge or consent.

Cybersecurity researchers from the NCC Group discovered the vulnerabilities in late December 2022 and tipped Samsung off, with the company issuing a patch (version 4.5.49.8) on January 1 2023.

Now, almost a month after the flaw was addressed, the researchers published technical details and a proof-of-concept (PoC) exploit code.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Installing malicious apps

The first flaw is tracked as CVE-2023-21433, an improper access control flaw that can be used to install apps on the target endpoint. The second flaw, tracked as CVE-2023-21434, is described as an improper input validation vulnerability, which can be used to execute malicious JavaScript on the targeted device. 

While local access is required in the exploiting of both vulnerabilities, for skilled criminals that’s a non-issue, it was said. The researchers demonstrated the flaws by having the app install Pokemon Go, a globally popular geolocation game based on the world of Pokemon. 

While Pokemon Go is a benign app, the flaws could have been used for more sinister goals, the researchers confirmed. In fact, threat actors could have used them to access sensitive information or crash mobile apps. 

It also needs to be mentioned that Samsung devices running Android 13 are not vulnerable to the flaw, even if their device still carries an older, vulnerable version of the Galaxy Store. 

This is due to additional security measures introduced in the latest version of the popular mobile OS. 

However, according to figures from AppBrain, just 7% of all Android devices are sporting the latest version, while unsupported versions of Android (9.0 Pie and older) make up roughly 27% of the entire Android market share. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
App stores are increasingly becoming a major security worry
an image of the Samsung Galaxy S24 Ultra
Samsung pulls curtains on classified operation called Project Infinity, where teams compete relentlessly to improve security on billions of Galaxy phones
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
Trojan
WhatsApp patches security flaw which let hackers install spyware
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Latest in News
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC