VULNERABILITY IN GALAXY STORE ALLOWS ATTACKERS TO EXECUTE MALWARE REMOTELY ON SAMSUNG PHONES WITHOUT USER INTERACTION

A flaw in the Galaxy Store enables remote adversaries to trigger the installation and/or start of an application, resulting in the execution of a remote command on the Samsung phone.
Some deeplinks are handled by the Galaxy Store application. You can use a browser or another program to call Deeplink. When Galaxy Store receives appropriate deeplinks, it will analyze and show them in a webview.

Here, by failing to review the deeplink, the adversary is able to run JS code in the Galaxy Store application’s webview context whenever an user taps a link from a website that contains the deeplink.

Let’s consider the following example:
When this deeplink is sent, samsungapps://MCSLaunch?action=each_event&url={{url}}, the Galaxy Store will treat it as follows:

  • App will use the string “samsungapps” to check the deeplink.
  • The app will then continue with the MCS Webview process if there is a string MCSLaunch.
  • Finally, load the Webview with the url option.

We return to the SamSung MCS Direct Page website, which is one of the intriguing things about this. The argument will be extracted from the url by this website and shown there, however because it wasn’t encoded, an XSS flaw occurred.

Affected Versions

Galaxy Store version 4.5.32.4

Researcher was able to launch the calculator app exploiting this XSS vulnerability as shown in PoC

Demo