The company supplies an app called S Suggest as part of the default setup on older smartphones. This app suggests the use of other popular apps to users.
Samsung appears to have discontinued the S Suggest app recently, according to a report on Motherboard, and let one of the domains use to control the app, ssuggest.com, expire.
Anyone who registered the domain gained a means of pushing malicious apps to the millions of devices that have the app.
S Suggest has permissions that allow for remotely rebooting a phone and installing apps or packages.
Another security researcher, Ben Actis, told Motherboard that if an attacker had found out about the domain and registered it, he or she could have pushed backdoored or malicious apps to millions of Samsung smartphones.
Samsung's stuff-up comes a couple of months after a researcher described its Tizen operating system — which the company has touted as an Android replacement — as having some of the worst code he had ever seen.