1 year ago
100
Researchers astatine
NCC Group, the cybersecurity firm, discovered vulnerabilities successful the Galaxy Store, the app storefront that is disposable lone to those with a Samsung Galaxy handset. The vulnerabilities were recovered betwixt November 23 and December 3, 2022, and could person allowed an attacker to instal immoderate app from the Galaxy App Store connected a Galaxy telephone without the user's knowledge.
This flaw was assigned a Common Vulnerabilities and Exposures fig of CVE-2023-21433. By giving each vulnerability a CVE number, it helps researchers way them and Google cites these numbers erstwhile it reveals which flaws person been patched successful its monthly Android updates. The 2nd flaw is CVE-2023-21434, which allows attackers to execute JavaScript connected a Galaxy handset.
Exploiting the vulnerabilities could enactment a Galaxy user's idiosyncratic accusation astatine risk
The study notes that depending connected what the attacker has successful mind, an onslaught exploiting the vulnerabilities could let the atrocious actors to entree idiosyncratic information and could besides effect successful apps crashing. If the attacker uploads a malicious app to the Galaxy Store earlier exploiting the flaws, helium could instal that app connected a Galaxy smartphone without the owner's knowledge. And that could pb to superior information issues.
Two Galaxy Store vulnerabilities were discovered and fixed
Setting disconnected the attack, the idiosyncratic could pat connected a malicious hyperlink appearing connected the Google Chrome browser (using a Samsung Galaxy phone), oregon a rogue app pre-installed connected a Galaxy handset could get done Sammy's URL filter and motorboat a webview to a domain controlled by the attackers.
The study from NCC states, "It was recovered that the Galaxy Store has an exported enactment which does not grip incoming intents successful a harmless manner. This allows different applications installed connected the aforesaid
Samsung instrumentality to automatically instal immoderate exertion disposable connected the Galaxy Store without the user’s knowledge." The study besides says, "A pre-installed rouge exertion connected a Samsung instrumentality moving Android 12 oregon beneath tin maltreatment this contented to instal immoderate exertion presently disposable connected the Galaxy Store."
CVE-2023-21433 tin not beryllium exploited connected Samsung phones moving Android 13 acknowledgment to information features that are portion of the latest physique of Google's mobile operating system. Additionally, connected the precise archetypal time of 2023, Samsung announced that it had patched the 2 vulnerabilities and released mentation 4.5.49.8 of the Galaxy Store.
Reserve your Galaxy S23 bid pre-order now!
Make definite that you person the latest mentation of the Galaxy App Store moving connected your Galaxy-branded telephone adjacent if the instrumentality is moving Android 13. That's due to the fact that determination could beryllium different issues related to the older physique of the Galaxy Store that can't beryllium neutralized by the information features connected Android 13.
How to update the Galaxy Store connected your Samsung phone
To update the Galaxy Store connected your phone, unfastened the Galaxy Store app and you should spot a notification with a fastener that says Update. Tap connected that fastener and travel the directions. If you don't spot the notification, aft opening the app spell to Menu > Settings. Tap connected About Galaxy Store and property connected the update button. Since the update was released connected January 1st, determination is simply a bully accidental that you've already installed the update.
Those who ain older Samsung Galaxy phones that nary longer person enactment from Samsung could beryllium retired of luck. That's due to the fact that they would not person an update for the Galaxy Store and their mentation of the app storefront could incorporate the flaws. In this case, you could bargain a caller telephone oregon you mightiness privation to disable the Galaxy Store from your phone. But that isn't a bully solution either since updates for Samsung apps for your instrumentality travel done the Galaxy Store.
If buying a caller telephone is retired of the question, support checking the instrumentality to marque definite that determination aren't immoderate apps installed that you don't callback downloading (outside of the apps that Samsung pre-installed connected the handset).
/cdn.vox-cdn.com/uploads/chorus_asset/file/24020034/226270_iPHONE_14_PHO_akrales_0595.jpg)
English (US)