Two vulnerabilities have been discovered in Samsung's official Android app store that can be exploited by hackers to install unauthorized apps on users' devices or direct them to malicious websites.

Discovered by NCC Group researchers late last year, Samsung released fixes for both flaws on January 1, 2023, and the Korean hardware giant also rolled out a new version of its Galaxy store.

Now that both flaws have been patched, the NCC Group has released technical details of the vulnerabilities and proof-of-concept (PoC) exploit code for each. Fortunately, since local access is required to exploit these vulnerabilities, hackers will need to have the best of the best Samsung phones on hand to launch their attacks.

The first flaw in the Galaxy Store (tracked as CVE-2023-21433 (open in new tab)) is an improper access control vulnerability that hackers can exploit to install any app available on the store on a user's device without their consent. install any app available on the store on the user's device without the user's consent.

Unlike the Google Play Store, the Galaxy Store does not handle incoming intents in the same way, allowing other apps on Samsung phones to send arbitrary app installation requests. Worse, hackers can also take advantage of this flaw to force new apps to open immediately after installation.

The second flaw (tracked as CVE-2023-21434 (open in new tab)) is an improper input validation that can be exploited to execute JavaScript on the victim's device. security researchers at NCC Group have found that the Galaxy Store's web view has a filter that limits the domains that can be displayed, but this is not properly configured and could be bypassed by an attacker to direct unsuspecting users to malicious domains. These sites could even be used for phishing or to infect vulnerable devices with malware.

As BleepingComputer (opens in new tab) points out, attackers can use these flaws to access sensitive information stored on victims' Samsung phones, which can lead to data and privacy breaches.

If you own a Samsung phone, you should update your Galaxy Store to the latest version now.

To do so, you must first open the Galaxy Store app and click on "Menu" then "Settings". From here, tap "About Galaxy Store" and download the latest version. However, it is recommended that you free up storage on your phone first, as you will not be able to update if your phone's storage is low.

It is also worth noting that Samsung phones running Android 13 are not vulnerable to the first flaw due to additional security protections included in the latest version of Android. However, older Samsung devices that are no longer supported remain vulnerable to both flaws, but we hope the company is working on a fix for this as well.

For added protection, however, you should install one of the best Android antivirus apps on your phone and make sure Google Play Protect is enabled on your device.

Now that the NCC group has released the technical details on these flaws and a fix has been rolled out, we will likely hear more from Samsung regarding these flaws.