A leading US security agency has given the government until May 4 to patch a zero-day vulnerability which was allegedly exploited by an e-commerce app to eavesdrop on users.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-20963 to its Known Exploited Vulnerabilities Catalog late last week.
The high severity vulnerability was patched by Google last month after the firm said it may be under “limited, targeted exploitation.”
Read more on malicious Android apps here: Malicious Android Apps Sold For Up to $20,000 on Darknet.
CISA explained that the bug enables attackers to escalate privileges on targeted devices without user interaction.
“Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed,” it noted.
Mobile security company Lookout confirmed late last month that the vulnerability, which has a CVSS score of 7.8, was being exploited by malicious versions of the Pinduoduo Android app. At least two versions of the popular Chinese e-commerce app available from third-party app stores were to blame.
Researchers said this could have enabled threat actors to covertly and remotely control millions of devices, to steal data and install additional malware.
With over 750 million monthly active users, Pinduoduo is one of the world’s most popular destinations for online shopping. The firm has denied its software is malicious, even though the two apps analyzed by researchers were apparently signed with an official key.
The Pinduoduo app has been temporarily pulled from the official Play store, but most Chinese consumers rely on third-party app stores to source their Android downloads.
Although the CISA catalog of known vulnerabilities is designed to force federal government agencies to improve patching processes, it is also strongly recommended that private enterprises use the same tool to help prioritize their efforts in this area.