Samsung Electronics Co. Ltd. has patched vulnerabilities in its Galaxy Store app that could have allowed bad actors to install any app on a targeted mobile device without the device owner’s knowledge or consent.
Detailed Jan. 20 by researchers at NCC Group plc, the first vulnerability, designated CVE-2023-21433, opens the door for attackers to install applications through an export function that does not safely handle incoming intents.
An attacker could exploit an existing application installed on a device to automatically install any application available in the Galaxy Store app without the user’s knowledge. The vulnerability does not apply to Android 13 thanks to changes made in the operating system, with only Android 12 and below affected.
For both vulnerabilities, users are encouraged to install the latest update to the Galaxy Store app.
“As a general rule, outside of mobile device management type apps, apps should not be able to install other apps on mobile,” JT Keating, senior vice president of Strategic Initiatives at mobile security solutions provider Zimperium Inc., told SiliconANGLE. “It is part of the security advancements that mobile OS’s have over traditional OS’s.”