The Chinese app for e-commerce Pinduoduo is suspected of having used a high-severity Android vulnerability as a zero-day to spy on its users, in line with the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
For unpatched Android devices, this security hole in the Android Framework (identified as CVE-2023-20963) enables attackers to increase their privileges without the need for user input.
According to CISA, “Android Framework contains an unknown vulnerability that permits privilege escalation after updating an app to a higher Target SDK without the need for additional execution rights.”
With security updates published at the beginning of March. Google patched the flaw and stated that “there are indications that CVE-2023-20963 may be the subject of a limited, targeted attack.”
As a result of malware discovered in off-Play versions of the app, Google banned the official shopping app of the sizable Chinese app for e-commerce site Pinduoduo from the Play Store on March 21. Users were warned that the program might provide “unauthorized access” to their data or device. According to Pinduoduo, there are approximately 750 million active users per month.
Days later, Kaspersky researchers also disclosed they had discovered versions of the app that exploited Android flaws (one of which, according to Ars Technica, is CVE-2023-20963) for privilege escalation and the installation of extra modules intended to spy on users.
Igor Golovin, a security researcher with Kaspersky, told Bloomberg that “The Pinduoduo app had malicious code in certain of its versions that took advantage of well-known Android flaws to elevate privileges, download, and run additional malicious modules, some of which also got access to users’ notifications and files.”
The CVE-2023-20963 vulnerability was added by CISA to its list of Known Exploited Vulnerabilities on Thursday. U.S. Federal Civilian Executive Branch (FCEB) agencies have until May 4th to protect their devices against it.
Federal agencies are required to inspect and patch their networks for all security issues listed in CISA’s KEV catalog following the legally obligatory operational directive (BOD 22-01) from November 2021.
Although the catalog is primarily intended for U.S. federal agencies, it is strongly suggested that private businesses give the vulnerabilities in the CISA catalog top consideration as well.
According to the U.S. cybersecurity organization, “These types of vulnerabilities are common attack vectors for malevolent cyber actors and pose considerable dangers to the federal enterprise.”
Federal organizations must fix iPhones and Macs by May 1st against two security flaws that have been exploited in the wild as zero-days, according to a Monday order from CISA.
Conclusion
A top US security organization has given the government until May 4 to patch a zero-day vulnerability that an e-commerce software used to eavesdrop on customers. United States Agency for Cybersecurity and Infrastructure Security (CISA) added CVE-2023-20963 to its Known Exploited Vulnerabilities List late last week. Google patched the high-severity vulnerability last month after saying it may be under “limited, focused exploitation.” Dangerous Android apps sold for much to $20,000 on Darknet. CISA said the flaw lets attackers elevate privileges on targeted systems without user intervention. “Android Framework contains an unidentified vulnerability that allows for privilege escalation after updating a program to a higher Target SDK without additional execution privileges,” it said.
Last month, Lookout discovered that rogue Pinduoduo Android apps exploited the CVSS 7.8 vulnerability. Two third-party app store versions of the famous Chinese app for e-commerce app were responsible. Threat actors might have remotely controlled millions of devices, stolen data, and installed more malware, researchers warned. Pinduoduo is a popular online shopping platform with over 750 million monthly active users. Despite researchers finding two programs signed with an official key, the company denies its software is harmful. Pinduoduo has been temporarily removed from the Play store. However, most Chinese Android users download from third-party app shops. The CISA inventory of known vulnerabilities is intended to force federal government entities to improve patching processes, but private firms should utilize it to prioritize their efforts.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.