Here We Go Again A Five-Bug Chain to Arbitrary APK Install o...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://bugscale.ch/blog/here-we-go-again-a-five-bug-chain-to-arbitrary-apk-install-on-samsung-s25/
• Blog Title: Here We Go Again: A Five-Bug Chain to Arbitrary APK Install on Samsung S25
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting (new page or additions under: Exported Components/Broadcast Receivers, Path Traversal/Arbitrary File Write, and Custom APK Signature Verification / Signature Scheme Confusion)

🎯 Content Summary

Scope / threat model

The post documents a 5-bug exploit chain in Samsung Galaxy Store v4.6.02.7 (tested on Samsung S25) that enables a malicious local app (no special permissions) to trigger a silent install of an arbitrary local APK (no user interaction, no install confirmation). The payload APK does not need to be hosted on Galaxy Store (or any store); it only needs to be present lo...

🔧 Technical Details

Deterministic artifact substitution via size-only download validation: If an installer/downloader uses a deterministic on-disk path and treats an existing file as “already downloaded” when filesize >= expected_size (without verifying hash/signature at the download stage), an attacker who can write to that path can substitute the artifact (e.g., an APK) and force later install stages to consume attacker-controlled content.

APK signature-scheme confusion against custom verifiers: If an app implements custom APK signature validation and (1) incorrectly falls back from v3 to v2 when v3 exists but doesn’t match the expected signer, and (2) validates v2 by checking only the signature over the digest present in the signing block (without recomputing/verifying that the APK contents hash to that digest), an attacker can craft a “dual-signed” APK: include an attacker-controlled valid v3 signature (so Android installs it) and graft a trus...

🤖 Agent Actions

I’m analyzing the Samsung Galaxy Store chain, mapping the underlying techniques to existing HackTricks Android content, and then I’ll update the most appropriate single file with only the non-duplicated material.
I have the repo layout. Next I’m narrowing the Android section and checking whether HackTricks already covers the specific primitives from the Galaxy Store chain before choosing a single target file.
The Android section already has material on exported components, content providers, deep links, and APK tooling. I’m reading the core files now to see whether this belongs in a focused page or in the main Android methodology without duplicating existing guidance.
The best fit is looking like android-applications-basics.md: it already has the component model, broadcast receivers, content providers, deep links, and app-signing concepts in one place, which lets me keep this change in a single file without scattering related techniques.
I’ve confirmed the repo does not already document the Samsung-specific primitives. I’m fetching the small set of external references I’ll cite so the added section can stay abstract but still point readers to the exact signing and Shell APK docs.
I’ve got the exact insertion points. I’m editing android-applications-basics.md now to add short, technique-focused subsections under Broadcast Receivers, Content Providers, and Digital Signing, then I’ll update the references block at the end.
The edit is in place. I’m re-reading the touched sections now to make sure the content stays concise, lands in the right subsections, and keeps the references block valid at the end of the file.
The file reads cleanly after the patch. I’m doing a final diff and whitespace check now, then I’ll close out the task list and summarize exactly what changed.
Updated android-applications-basics.md as the single target file. I kept it in the existing Android basics page because the blog’s value is the abstraction of several Android techniques, not a Samsung-specific page.

The additions cover exported receiver challenge-response bypasses with startup-seeded RNGs and crash-to-restart primitives, DocumentProvider-driven restore/import path traversal leading to arbitrary file write in the victim sandbox, deterministic installer cache/artifact substitution, and custom APK signature-scheme confusion with a concise apksigner flow. I also updated the final ## References block with the Bugscale post and the relevant Android/Samsung docs. git diff --check is clean, and only this file was modified.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://bugscale.ch/blog/here-we-go-again-a-five-bug-chain-to-arbitrary-apk-install-on-samsung-s25/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (new page or additions under: Exported Components/Broadcast Receivers, Path Traversal/Arbitrary File Write, and Custom APK Signature Verification / Signature Scheme Confusion)".

Repository Maintenance:

• MD Files Formatting: 973 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0