All Samsung Galaxy owners need to have the latest version from the Galaxy Store on their phones

by
researchers in NCC GroupInc., a cybersecurity company, discovered vulnerabilities in the Galaxy Store, an app storefront that’s only available to those with a Samsung Galaxy phone. The vulnerabilities were found between November 23 and December 3, 2022, and could have allowed attackers to install any app from the Galaxy Play Store on a Galaxy phone without the user’s knowledge.
This flaw is designated with the Common Vulnerabilities and Exposure number CVE-2023-21433. By giving each vulnerability a CVE number, it helps researchers keep track of it and Google cites these numbers when it discloses patched flaws in monthly Android updates. The second flaw is CVE-2023-21434, which allows attackers to execute JavaScript on a Galaxy phone.

Exploiting vulnerabilities may put a Galaxy user’s personal information at risk

The report states that depending on what the attacker has in mind, an attack that exploits the vulnerabilities could allow bad actors to access personal data and could even crash applications. If an attacker uploads a malicious app to the Galaxy Store before exploiting the flaws, they can install that app on a Galaxy smartphone without the owner’s knowledge. This may lead to serious security problems.

2 Galaxy Store vulnerabilities discovered and fixed - All Samsung Galaxy owners need to have the latest version of the Galaxy Store on their phones

Two vulnerabilities in the Galaxy Store have been discovered and fixed

When the attack is initiated, a user can click on a malicious hyperlink that appears on the Google Chrome browser (using a Samsung Galaxy phone), or a rogue app pre-installed on a Galaxy phone can pass through Sammy’s URL filter and run a webshow to the attackers-controlled domain.

The report by NCC states, “The Galaxy Store has been found to have exported activity that does not handle incoming targets in a secure manner. This allows other apps to be installed on the same Samsung A device to automatically install any app available on the Galaxy Store without the user’s knowledge. The report also says, “The rouge app pre-installed on a Samsung device running Android 12 or below can abuse this issue to install any app currently available on the Galaxy Store.”
CVE-2023-21433 cannot be exploited on Samsung phones running Android 13 thanks to security features that are part of the latest design of Google’s mobile operating system. In addition, on the first day of 2023, Samsung announced that it had patched the two vulnerabilities and released version 4.5.49.8 of the Galaxy Store.

Pre-order the Galaxy S23 series now!

Make sure that you have the latest version of the Galaxy App Store running on your Galaxy branded phone even if the device is running Android 13. This is because there may be other issues related to the older build of the Galaxy Store which cannot be the same. Neutralize it with security features on Android 13.

How to update the Galaxy Store on your Samsung phone

To update the Galaxy Store on your phone, open the Galaxy Store app and you will see a notification with the Update button. Click this button and follow the instructions. If you don’t see the notification, after opening the app go to existing > settings. Tap on About Galaxy Store and tap on the update button. Since the update was released on January 1st, there is a good chance that you already have the update installed.

Those who own older Samsung Galaxy phones that no longer have Samsung support may be in luck. This is because they will not receive an update to the Galaxy Store and their version of the app storefront may contain defects. In this case you are he could Buy a new phone or you may want to disable the Galaxy Store from your phone. But this is not a good solution because Samsung apps updates for your device comes through the Galaxy Store.

If buying a new phone is out of the question, go ahead and check the device to make sure you don’t have any installed apps that you don’t remember downloading (other than apps that Samsung pre-installed on the phone).

Leave a Comment