>
Samsung has patched two vulnerabilities in its mobile app marketplace that allowed threat actors to install any app on a target mobile device without the knowledge or consent of the device owner.
Cybersecurity researchers from the NCC Group discovered the vulnerabilities at the end of December 2022 and tipped off Samsung, with the company releasing a patch (version 4.5.49.8) on January 1, 2023.
Now, almost a month after the flaw was fixed, the researchers have released technical details and a proof-of-concept (PoC) exploit code.
Install malicious apps
The first error is tracked as CVE-2023-21433, an incorrect access control error that can be used to install apps on the target endpoint. The second flaw, tracked as CVE-2023-21434, is described as an incorrect input validation vulnerability, which can be used to execute malicious JavaScript on the target device.
While local access is required when exploiting both vulnerabilities, that is a non-issue for skilled criminals, it was said. The researchers exposed the flaws by having the app install Pokemon Go, a globally popular geolocation game based on the world of Pokemon.
While Pokemon Go is a benign app, its flaws could have been used for more sinister purposes, the researchers confirmed. In fact, attackers could have used them to gain access to sensitive information (opens in new tab) or crash mobile apps.
It should also be mentioned that Samsung devices running Android 13 are not vulnerable to the flaw, even if their device still has an older, vulnerable version of the Galaxy Store.
This is due to additional security measures introduced in the latest version of the popular mobile operating system.
According to figures from AppBrain, only 7% of all Android devices are running the latest version, while unsupported versions of Android (9.0 Pie and older) make up about 27% of the total Android market share.
Through: Beeping computer (opens in new tab)