Samsung has patched two vulnerabilities in its mobile app marketplace that could have allowed threat actors to install any app on a target mobile device without the device owner’s knowledge or consent.
Cybersecurity researchers from the NCC Group discovered the vulnerabilities in late December 2022 and tipped Samsung off, with the company issuing a patch (version 220.127.116.11) on January 1 2023.
Now, almost a month after the flaw was addressed, the researchers published technical details and a proof-of-concept (PoC) exploit code.
TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.
D. Athow, Managing Editor
Installing malicious apps
While local access is required in the exploiting of both vulnerabilities, for skilled criminals that’s a non-issue, it was said. The researchers demonstrated the flaws by having the app install Pokemon Go, a globally popular geolocation game based on the world of Pokemon.
While Pokemon Go is a benign app, the flaws could have been used for more sinister goals, the researchers confirmed. In fact, threat actors could have used them to access sensitive information or crash mobile apps.
It also needs to be mentioned that Samsung devices running Android 13 are not vulnerable to the flaw, even if their device still carries an older, vulnerable version of the Galaxy Store.
This is due to additional security measures introduced in the latest version of the popular mobile OS.
However, according to figures from AppBrain, just 7% of all Android devices are sporting the latest version, while unsupported versions of Android (9.0 Pie and older) make up roughly 27% of the entire Android market share.
- Here's our list of the best endpoint protection services right now
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.