CISA adds Android zero-day to KEV catalogue
Vulnerability already used in Chinese shopping app Pinduoduo
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Android Framework security flaw to its known exploited vulnerabilities (KEV) catalogue, based on evidence of ongoing exploitation.
Tracked as CVE-2023-20963, popular Chinese e-commerce app Pinduoduo apparently used the vulnerability to spy on its users.
"[The] Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed," CISA warned.
Google categorises CVE-2023-20963 is a high-severity privilege escalation vulnerability with a CVSS score of 7.8, impacting Android's framework component. Notably, the flaw can be exploited without user interaction.
This vulnerability impacts several Android versions, including Android 11, Android 12, Android 12L and Android 13.
Google fixed the bug last month, warning that there were indications of targeted exploitation.
The company suspended the Pinduoduo app from its Play Store on 21st March, after detecting malware in versions of the app distributed through other websites.
This followed Chinese researchers reporting malicious behaviour linked to Pinduoduo, accusing the company of using millions users' devices to create a botnet.
Google tagged Pinduoduo as a harmful app and warned that it could lead to "unauthorised access" of devices or data.
Pinduoduo is one of China's most well-known e-commerce platforms, with over 700 million monthly active users. Despite the allegations, the company has denied any wrongdoing.
Around a week after Google's decision, researchers from mobile security firm Lookout confirmed to Ars Technica that the Pinduoduo app did seem to be trying to seize control of devices, collect data and install other software.
In a follow-up report this month, CNN said that version 6.49.0 of the app contained code specifically created to gain privileged access and monitor user activity on other shopping applications.
CISA's new directive has given US Federal Civilian Executive Branch (FCEB) agencies until 4th May to implement measures to protect their devices against this vulnerability.
As per the binding operational directive (BOD 22-01) issued in November 2021, federal agencies are required to identify and address all security vulnerabilities listed in CISA's KEV catalogue.
BOD 22-01 is only applicable to FCEB agencies, but CISA advises all organisations to prioritise remediating the vulnerabilities listed in the catalogue as part of their overall security strategy.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the agency said.
Apart from CVE-2023-20963, CISA has included another vulnerability (CVE-2023-29492) in its KEV catalogue that affects installable survey software produced by Novi Survey.
Novi Survey has issued an advisory to its clients about CVE-2023-29492, which the company claims can enable a remote attacker to execute unauthorised code on the server.
The advisory does not provide any information about the vulnerability being exploited in the wild, and there have been no reports of attacks involving this vulnerability so far.