Two vulnerabilities have been discovered in the Samsung Galaxy Store app for Android that could be used by attackers to stealthily install apps or direct potential victims to fraudulent web landing pages.

Vulnerabilities identified as CVE-2023-21433 and CVE-2023-21434 have been discovered NCC Group November and December last year. The South Korean conglomerate was promptly notified of the vulnerabilities. Samsung itself classified them as moderate-risk vulnerabilities, and also released fixes with store version 4.5.49.8.

The first of the two vulnerabilities, CVE-2023-21433, could allow an already installed rogue Android app on a Samsung device to install any other app available on the Galaxy Store. Samsung described this as a “case of improper access control” which it says has been corrected with the appropriate permissions to prevent unauthorized access. The vulnerability only affects Samsung devices running Android 12 and earlier, and does not affect devices running the latest version (Android 13).

The second vulnerability, CVE-2023-21434, is related to an invalid input validation case. It occurs when you limit the list of domains that can be launched in a web view from an application. “Following a malicious hyperlink from Google Chrome or a pre-installed fraudulent app on a Samsung device can bypass the Samsung URL filter and launch a webview of a maliciously controlled domain,” said Ken Gannon, researcher at NCC Group.

Samsung Galaxy Store, formerly known as Samsung Apps and Galaxy Apps, is a dedicated app store used for Android devices manufactured by Samsung. It was launched in September 2009.