Samsung Galaxy Store: five-bug chain to arbitrary APK installation

⚔️ Attack Techniques & Methods2026-05-05, 12:52
The Bugscale team published an analysis of an attack on Galaxy Store 4.6.02.7 on the Samsung S25: a malicious app, with no permissions and no user interaction, can install an arbitrary local APK.
The attack chains five bugs:
  1. The Cloud Games feature uses a deeplink to install an auxiliary Shell APK to a predictable path without integrity checks.
  2. The Store's custom signature validation downgrades from scheme v3 to v2 and does not verify that the signature block matches the actual APK data (the attacker copies the v2 signature block from the original Shell APK into their payload — the Store accepts it via v2, while the Android system installer validates it via v3).
  3. The exported SmartSwitchReceiver, without permission checks, allows path traversal via new File(...) during data restore.
  4. The authentication confirmation protocol uses Random initialized with System.currentTimeMillis().
  5. A NullPointerException in IapReceiver forces the Store to crash and restart on demand, narrowing the brute-force window for the seed.
📎 Article: https://bugscale.ch/blog/here-we-go-again-a-five-bug-chain-to-arbitrary-apk-install-on-samsung-s25/
💬 Discuss
Vendors
Samsung
Products
Android
Cloud Games
Galaxy Store
Iapreceiver
Samsung S25
Shell Apk
More
Published
2026-05-05, 12:52