CISA adds Android zero-day that infected Chinese shopping app to KEV catalog
An Android zero-day that exploited millions of devices via a Chinese ecommerce app was added Thursday to the catalog of known exploited vulnerabilities by the U.S. agency in charge of securing the nation’s cybersecurity and infrastructure.
The U.S. Cybersecurity and Infrastructure Security Agency was responding to reports in the press about the zero-day vulnerability and confirmation from researchers on the vulnerability’s authenticity.
About a week after Google removed Pinduoduo from its Play Store in late March, researchers at mobile security company Lookout confirmed for Ars Technica that the Pinduoduo app appeared to take control of devices, harvest data, and install other software, with millions of devices potentially impacted.
Google described the bug — CVE-2023-20963 — as a high-severity (7.8 CVSS score) privilege escalation flaw that targets Android’s framework component. The vulnerability affects Android 11, Android 12, Android 12L, and Android 13. CISA advised security teams to patch the bug immediately and civilian federal agencies have two weeks to patch the vulnerability.
The suspension by Google of Pinduoduo app comes at a time of increased tensions between the United States and China over the popular social media app TikTok, which some U.S. lawmakers and intelligence officials say could pose security threats.
CISA’s addition of CVE-2023-20963 to its Known Exploited Vulnerabilities (KEV) list aligns with our findings regarding exploitation of this vulnerability in the wild, said Justin Albrecht, threat intelligence researcher at Lookout. According to Lookout telemetry data, Albrecht said many of these victims were located outside of China, including victims within the United States.
Albrecht said the privileges gained by exploiting this vulnerability let the malicious code install apps and grant permissions, such as accessing notification content without user interaction; remove apps; make it impossible for the user to remove certain apps; infect third-party apps present on the device with malicious code; and access and manipulate data that is private to third-party apps.
“The prevalence of iOS and Android exploits continues to grow,” said Albrecht. “Recent…
