Samsung has fixed two vulnerabilities in its mobile application marketplace that could have allowed threat actors to install any application on a targeted mobile device without the knowledge or consent of the device owner.
Cybersecurity researchers from the NCC Group discovered the vulnerabilities in late December 2022 and notified Samsung to release a patch (v4.5.49.8) on January 1, 2023.
Now, after nearly a month of addressing the flaw, the researchers have published technical details and proof-of-concept (PoC) exploit code.
Install malicious apps
The first flaw is tracked as CVE-2023-21433, which is an incorrect access control flaw that can be used to install applications on the target endpoint. The second flaw, tracked as CVE-2023-21434, is described as an incorrect input validation vulnerability, which can be used to execute malicious JavaScript on the target machine.
While local access is required in exploiting both vulnerabilities, it has been argued that this is not a problem for skilled criminals. The researchers demonstrated the flaws by installing the app Pokemon Go, a world-famous geolocation game based on the Pokemon universe.
While Pokemon Go is a benign app, the researchers confirmed that the flaws could have been used for more sinister ends. In fact, the threat actors could have used it to gain access to sensitive information (Opens in a new tab) or mobile app crashes.
It should also be noted that Samsung devices running Android 13 are not vulnerable to defects, even if their devices are still running an old and vulnerable version from the Galaxy Store.
This is due to the additional security measures that have been introduced in the latest version of the popular mobile operating system.
However, according to figures from AppBrain, only 7% of all Android devices are running the latest version, while unsupported versions of Android (9.0 Pie and earlier) make up nearly 27% of the total Android market share.
Via: BleepingComputer (Opens in a new tab)