A researcher from the network security agency NCC Group recently wrote that there are vulnerabilities in the preloaded Galaxy Store on Samsung Galaxy mobile phones. The above vulnerability is assigned the public vulnerability and exposure number CVE-2023-21433 to facilitate further tracking by researchers, and Google will also follow up in monthly Android security updates. In addition, security researchers from NCC Group also discovered another vulnerability CVE-2023-21434, which allows attackers to execute JavaScript code on Galaxy phones at will.
NCC Group stated that attackers can exploit the vulnerability to obtain users’ personal information and cause the program to crash. If an attacker uploads a malicious program to the Galaxy Store, the malicious program can be distributed and installed without the user’s permission, causing serious security risks.
As long as the attacker spreads the link to open the Galaxy Store on the internet, Galaxy phones with system version Android 12 or below can easily install any program available on the Galaxy Store, without their permission. Galaxy phones that have been upgraded to Android 13 are not affected by this vulnerability. Fortunately, Samsung launched version 4.5.49.8 of the Galaxy Store program on New Year’s Day 2023. As long as it is updated to this version, the above two serious vulnerabilities can be corrected. To check the version of Galaxy Store, open the program and select Menu, then click the gear icon in the upper right corner, and then click Open About Galaxy Store to see the version number.
