samsung-galaxy-store-bug-could’ve-let-hackers-secretly-install-apps-on-targeted-devices

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Samsung Galaxy Store Bug Could’ve Let Hackers Secretly Install Apps on Targeted Devices

A now-patched security flaw has been disclosed in the Galaxy Store app for Samsung devices that could potentially trigger remote command execution on affected phones.

The vulnerability, which affects Galaxy Store version 4.5.32.4, relates to a cross-site scripting (XSS) bug that occurs when handling certain deep links. An independent security researcher has been credited with reporting the issue.

“Here, by not checking the deep link securely, when a user accesses a link from a website containing the deeplink, the attacker can execute JS code in the webview context of the Galaxy Store application,” SSD Secure Disclosure said in an advisory posted last week.

XSS attacks allow an adversary to inject and execute malicious JavaScript code when visiting a website from a browser or another application.

The issue identified in the Galaxy Store app has to do with how deep links are configured for Samsung’s Marketing & Content Service (MCS), potentially leading to a scenario where arbitrary code injected into the MCS website could lead to its execution.

This could then be leveraged to download and install malware-laced apps on the Samsung device when visiting the link.

“To be able to successfully exploit the victim’s server, it is necessary to have HTTPS and CORS bypass of chrome,” the researchers noted.


Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Schoolyard Bully Malware Stealing Facebook Credentials on Android

Mobile security company Zimperium’s zLabs has released a warning about a notorious Android trojan that has stolen around 300,000 credentials…
8 Reasons Why Enterprises Use Java

8 Reasons Why Enterprises Use Java

Java is one of the most well-known programming languages and software platforms that is used on countless devices such as…
360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

360m Alleged WhatsApp Records Shared Freely on Telegram and Dark Web

Previously we covered the news of a database containing 487 million up-to-date WhatsApp user records from 84 countries being sold…