Security News > 2022 > October > Samsung Galaxy Store Bug Could've Let Hackers Secretly Install Apps on Targeted Devices

Samsung Galaxy Store Bug Could've Let Hackers Secretly Install Apps on Targeted Devices
2022-10-31 10:25

A now-patched security flaw has been disclosed in the Galaxy Store app for Samsung devices that could potentially trigger remote command execution on affected phones.

The vulnerability, which affects Galaxy Store version 4.5.32.4, relates to a cross-site scripting bug that occurs when handling certain deep links.

"Here, by not checking the deep link securely, when a user accesses a link from a website containing the deeplink, the attacker can execute JS code in the webview context of the Galaxy Store application," SSD Secure Disclosure said in an advisory posted last week.

XSS attacks allow an adversary to inject and execute malicious JavaScript code when visiting a website from a browser or another application.

The issue identified in the Galaxy Store app has to do with how deep links are configured for Samsung's Marketing & Content Service, potentially leading to a scenario where arbitrary code injected into the MCS website could lead to its execution.

This could then be leveraged to download and install malware-laced apps on the Samsung device when visiting the link.


News URL

https://thehackernews.com/2022/10/samsung-galaxy-store-bug-couldve-let.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Samsung 1725 182 413 290 88 973