Android is the world’s most popular mobile operating system, but a vulnerability affecting it has recently been exploited as a zero-day by a Chinese application. On March 21, Google suspended the popular Chinese shopping application Pinduoduo after malware was discovered in versions of the app distributed through other websites. Chinese researchers reported observing malicious behavior associated with Pinduoduo, accusing the company of ensnaring the devices of hundreds of millions of its users into a botnet.
Lookout, a mobile security firm, confirmed that the application does indeed appear to attempt to take control of devices, harvest data, and install other software, with millions of devices potentially being impacted. They also found that the application has exploited an Android vulnerability tracked as CVE-2023-20963, with exploitation starting before Google released a patch in March.
The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its known exploited vulnerabilities (KEV) catalog on Thursday. CISA instructed government organizations to patch the vulnerability within the next two weeks. CISA also added to its KEV catalog a vulnerability affecting installable survey software made by Novi Survey.
Novi Survey has published an advisory to inform customers about CVE-2023-29492, which the company says allows a remote attacker to execute arbitrary code on the server. However, the public advisory does not mention anything about in-the-wild exploitation and there do not appear to be any reports about attacks involving the vulnerability.
Google on Thursday called on vendors to be more transparent when it comes to vulnerability exploitation. With millions of devices potentially impacted by these two vulnerabilities, it’s important to be aware of the risk and patch these flaws as soon as possible.
In conclusion, an Android vulnerability that was reportedly exploited as a zero-day by a Chinese application has been added to the known exploited vulnerabilities catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, tracked as CVE-2023-20963, was found to be exploited by the application Pinduoduo, with millions of devices potentially being impacted. CISA also added a vulnerability from Novi Survey to its KEV catalog. Google has urged vendors to become more transparent when it comes to vulnerability exploitation.
Key Points:
• An Android vulnerability has been added to the known exploited vulnerabilities catalog maintained by the US Cybersecurity and Infrastructure Security Agency (CISA)
• The vulnerability, CVE-2023-20963, was found to be exploited by the Chinese application Pinduoduo
• Millions of devices potentially being impacted by this vulnerability
• CISA also added a vulnerability from Novi Survey to its KEV catalog
• Google has urged vendors to become more transparent when it comes to vulnerability exploitation