CISA Adds Chinese Shopping App-Infected Android Zero-Day to KEV Catalog
A Chinese e-commerce app Pinduoduo has been accused of exploiting a high-severity Android vulnerability as a zero-day to spy on its users, according to a warning issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The vulnerability, tracked as CVE-2023-20963, is an Android Framework security flaw that enables attackers to elevate privileges on unpatched Android devices without user interaction.
Google’s suspension of the Pinduoduo app coincides with increasing tensions between the US and China over security concerns. CISA has added CVE-2023-20963 to its Known Exploited Vulnerabilities (KEV) list, citing Lookout’s findings that the Chinese e-commerce app exploited the Android Framework security flaw in the wild to spy on users.
Lookout’s telemetry data suggests that many victims were located outside of China, including in the US.
The vulnerability allows attackers to escalate privileges without user interaction, enabling the malicious code to perform various actions such as installing apps, removing apps, and accessing private data from third-party apps.
The discovery of an Android exploit being used by a popular app like Pinduoduo for financial gain and competitive advantage is a worrying shift in the threat landscape, according to Justin Albrecht, a threat intelligence researcher at Lookout. He added that the privileges gained by exploiting this vulnerability let the malicious code install apps and grant permissions, among other things.
Meanwhile, Bud Broomhead, CEO at Viakoo, said Android phones are good places to plant bots and form a botnet army, and the vendor of Pinduoduo has not been proactive in alerting users about the vulnerability.
CEO of Approov, Ted Miracco, has raised concerns about the security of Android devices following recent zero-day vulnerabilities discovered in them. Miracco said that while zero-day vulnerabilities are dangerous, both iOS and Android devices are vulnerable, and no operating system is immune to such security threats. Apple announced earlier this week that it had patched two zero-day vulnerabilities affecting iPhones, iPads, and Macs, which were added to CISA’s KEV catalog.
CISA has instructed federal agencies to patch two zero-day vulnerabilities that have been exploited in the wild by May 1st, affecting iPhones and Macs.