News Heading

CISA Adds Chinese Shopping App-Infected Android Zero-Day to KEV Catalog

Reading time: 2 min

  • Ari Denial

    Written by Ari Denial Cybersecurity & Tech Writer

A Chinese e-commerce app Pinduoduo has been accused of exploiting a high-severity Android vulnerability as a zero-day to spy on its users, according to a warning issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The vulnerability, tracked as CVE-2023-20963, is an Android Framework security flaw that enables attackers to elevate privileges on unpatched Android devices without user interaction.

Google’s suspension of the Pinduoduo app coincides with increasing tensions between the US and China over security concerns. CISA has added CVE-2023-20963 to its Known Exploited Vulnerabilities (KEV) list, citing Lookout’s findings that the Chinese e-commerce app exploited the Android Framework security flaw in the wild to spy on users.

Lookout’s telemetry data suggests that many victims were located outside of China, including in the US.

The vulnerability allows attackers to escalate privileges without user interaction, enabling the malicious code to perform various actions such as installing apps, removing apps, and accessing private data from third-party apps.

The discovery of an Android exploit being used by a popular app like Pinduoduo for financial gain and competitive advantage is a worrying shift in the threat landscape, according to Justin Albrecht, a threat intelligence researcher at Lookout. He added that the privileges gained by exploiting this vulnerability let the malicious code install apps and grant permissions, among other things.

Meanwhile, Bud Broomhead, CEO at Viakoo, said Android phones are good places to plant bots and form a botnet army, and the vendor of Pinduoduo has not been proactive in alerting users about the vulnerability.

CEO of Approov, Ted Miracco, has raised concerns about the security of Android devices following recent zero-day vulnerabilities discovered in them. Miracco said that while zero-day vulnerabilities are dangerous, both iOS and Android devices are vulnerable, and no operating system is immune to such security threats. Apple announced earlier this week that it had patched two zero-day vulnerabilities affecting iPhones, iPads, and Macs, which were added to CISA’s KEV catalog.

CISA has instructed federal agencies to patch two zero-day vulnerabilities that have been exploited in the wild by May 1st, affecting iPhones and Macs.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...