Two vulnerabilities, the first an insecure activity is exposed that allows other applications to automatically install any application on the Galaxy Store, the secondis a filter bypass which can lead to navigating the CloudGame webview to an untrusted domain.
The first issue basically seems like an insecure feature. An activity is exposed, it will read properties from the intent such as
directOpen then if
directInstall is true, it’ll install the application specified by the
GUID and if
directOpen is true, it will open the app after installing.
Ideally this sort of functionality should be using a whitelist of acceptable applications that can invoke the activity, or perhaps using some sort of signing mechanism so that only Samsung trusted sources can generate a valid signature to use it, neither mitigation is in place here.
The second vulnerability is just a filter bypass, the Cloud Game webview can be opened using an
intent://cloudgamewith some expected params that the write-up documents. The key thing is that the host, provided through the
monitoringHost parameter is supposed to be limited to
player.glb.samsung-gamelauncher.com. This filter can be bypassed in a pretty classic way though as it only ensures the host starts with the expected domain, so a domain like
player.glb.samsung-gamelauncher.com.attacker.com would also be valid.
NCC Group does not document the damage that could be done with this vulnerability. Often these webviews will have some extra interfaces added to them to communicate with the host application and device, but its not mentioned in the report.