A major US security agency has given the government until May 4 to patch a zero-day vulnerability allegedly exploited by e-commerce apps to spy on users.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-20963 to its catalog of known exploited vulnerabilities late last week.
The high-severity vulnerability was patched by Google last month after the company said it may have suffered a “limited and targeted attack.”
For more information about malicious Android apps, see Malicious Android Apps Selling Up To $20,000 On The Darknet.
CISA explained that the bug allows an attacker to escalate privileges on a targeted device without user intervention.
“The Android framework contains an unspecified vulnerability that allows privilege escalation after updating an app to a higher Target SDK without requiring additional execution permissions.” .
Mobile security company Lookout Confirmed Late last month, a vulnerability with a CVSS score of 7.8 was revealed to have been exploited by a malicious version of the Pinduoduo Android app. At least two versions of his popular Chinese e-commerce app, available through third-party app stores, were to blame.
Researchers say this could have enabled attackers to covertly and remotely control millions of devices, steal data and install additional malware.
With over 750 million monthly active users, Pinduoduo is one of the world’s most popular online shopping destinations. Two of his apps the researchers analyzed were apparently signed with an official key, but the company denies that the software is malicious.
The Pinduoduo app has been temporarily removed from the official Play Store, but most Chinese consumers still rely on third-party app stores to download Android.
While the CISA Catalog of Known Vulnerabilities is designed to force federal agencies to improve their patching processes, it strongly encourages private sector companies to use the same tools to prioritize their efforts in this area. It is recommended.
