Samsung Galaxy Store flaw could have allowed installing malicious apps on target devices

November 1, 2022  By Pierluigi Paganini


A security flaw in the Galaxy Store app for Samsung devices could have potentially allowed remote command execution on affected phones.

A now-patched vulnerability in the Galaxy Store app for Samsung devices could have potentially triggered remote command execution on affected phones.

The flaw is a cross-site scripting (XSS) bug that can be triggered when handling certain deep links.

The vulnerability impacts Galaxy Store version 4.5.32.4, it was reported by an independent security researcher through the SSD Secure Disclosure program.

“In the Galaxy Store application, there are some deeplinks handled. Deeplink can be called from another application or from a browser. When receiving suitable deeplinks Galaxy Store will process and display them via webview.” reads the advisory. “Here, by not checking the deeplink securely, when a user accesses a link from a website containing the deeplink, the attacker can execute JS code in the webview context of the Galaxy Store application.”

The expert focuses on deep links configured for Samsung’s Marketing & Content Service (MCS).

The SamSung MCS Direct Page website was parsing the parameter from the url and then display it on the website, but it did not encode, leading to an XSS error.

“We can see the website is processing the abc, def parameters and displaying as above without encoding, the url is passed directly to href this is very dangerous and will cause XSS.” continues the advisory.

While analyzing the deeplink process code, the expert noticed two functions, downloadApp and openApp, in the Class EditorialScriptInterface.

The two functions allow getting the app id and downloading them from the store or opening them. This means that it is possible to use JS code to call these two functions. In this scenario, an attacker can inject arbitrary code into the MCS website and execute it.

This issue can be exploited to download and install malicious apps on the Samsung device when visiting the link.

Samsung has already issued patches to address this issue.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

VMware warns of the public availability of CVE-2021-39144 exploit code

 VMware warned of the availability of a public exploit for a recently addressed critical remote code execution flaw in NSX Data...