The US Cybersecurity and Infrastructure Security Agency (CISA) today warned of a high-severity Android vulnerability that was allegedly exploited by a Chinese e-commerce app Pinduoduo as zero day to spy on its users.

This Android Framework security flaw (tracked as CVE-2023-20963) allows attackers to escalate privileges on unpatched Android devices without requiring user interaction.

“Android Framework contains an unspecified vulnerability that allows elevation of privilege after updating an application to a higher target SDK without additional execution privileges needed”, CISA explain.

Google fixed the bug in security updates released in early March, saying that “there are indications that CVE-2023-20963 may be subject to limited and targeted exploitation”.

On March 21, Google suspended the official shopping app of Chinese online retail giant Pinduoduo (which claims to have more than 750 million monthly active users) from the Play Store after discovering malware in non-Play versions of the app, marking it as a harmful app and warning users that it could allow “unauthorized access” to their data or to their device.

A few days later, Kaspersky researchers also revealed that they had found versions of the application exploiting Android vulnerabilities (one of them CVE-2023-20963 according to Ars-Technica) for privilege escalation and installation of additional modules designed to spy on users.

“Some versions of the Pinduoduo app contained malicious code, which exploited known Android vulnerabilities to elevate privileges, download and run additional malicious modules, some of which also gained access to user notifications and files,” said Igor Golovin, security researcher at Kaspersky. told Bloomberg.

Federal agencies ordered to patch within three weeks

US Federal Civilian Executive Agencies (FCEBs) have until May 4 to secure their devices against the CVE-2023-20963 vulnerability added by CISA to its list of known exploited vulnerabilities on Thursday.

According to binding operational directive (BOD 22-01) Beginning in November 2021, federal agencies must check and repair their networks for all security vulnerabilities included in CISA’s KEV catalog.

Although the catalog is primarily aimed at US federal agencies, private companies are strongly advised to address vulnerabilities in the CISA catalog as a priority as well.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the US Cyber ​​Security Agency said. said.

On Monday, CISA also order federal agencies to patch iPhones and Macs against two security vulnerabilities exploited in the wild as zero-day by May 1.


Source link