An Android zero-day that exploited millions of devices via a Chinese ecommerce app was added Thursday to the catalog of known exploited vulnerabilities by the U.S. agency in charge of securing the nation's cybersecurity and infrastructure.
The U.S. Cybersecurity and Infrastructure Security Agency was responding to reports in the press about the zero-day vulnerability and confirmation from researchers on the vulnerability's authenticity.
About a week after Google removed Pinduoduo from its Play Store in late March, researchers at mobile security company Lookout confirmed for Ars Technica that the Pinduoduo app appeared to take control of devices, harvest data, and install other software, with millions of devices potentially impacted.
Google described the bug — CVE-2023-20963 — as a high-severity (7.8 CVSS score) privilege escalation flaw that targets Android’s framework component. The vulnerability affects Android 11, Android 12, Android 12L, and Android 13. CISA advised security teams to patch the bug immediately and civilian federal agencies have two weeks to patch the vulnerability.
The suspension by Google of Pinduoduo app comes at a time of increased tensions between the United States and China over the popular social media app TikTok, which some U.S. lawmakers and intelligence officials say could pose security threats.
CISA's addition of CVE-2023-20963 to its Known Exploited Vulnerabilities (KEV) list aligns with our findings regarding exploitation of this vulnerability in the wild, said Justin Albrecht, threat intelligence researcher at Lookout. According to Lookout telemetry data, Albrecht said many of these victims were located outside of China, including victims within the United States.
Albrecht said the privileges gained by exploiting this vulnerability let the malicious code install apps and grant permissions, such as accessing notification content without user interaction; remove apps; make it impossible for the user to remove certain apps; infect third-party apps present on the device with malicious code; and access and manipulate data that is private to third-party apps.
“The prevalence of iOS and Android exploits continues to grow,” said Albrecht. “Recent reporting by Citizen Lab and Microsoft on QuaDream’s Reign malware underlines how reliant nation-states are on such exploits to conduct espionage against individuals’ mobile devices, and the discovery of such an exploit being used within a popular application like Pinduoduo for financial gain and competitive advantage is a worrying shift in the threat landscape. Mobile exploits are no longer exclusive to the NSO Groups of the world — but may rather be included in popular applications to defraud millions of users in the name of profit.”
Bud Broomhead, chief executive officer at Viakoo, added that Android phones are good places to plant bots and form a botnet army. He said they are connected devices with decent storage, processing and memory, exist at large scale, have multiple manufacturers, and require users to take action to remediate exploitable vulnerabilities. Broomhead said the vendor of Pinduoduo has not been proactive in alerting users; their involvement is critical to reduce the window of vulnerability and how long threat actors can leverage this exploit.
“Unlike Apple devices, where fixes are pushed and managed by a single entity, Android devices have multiple manufacturers each of whom needs to provide a patch to remediate this at the device level,” explained Broomhead. “While removing the app (or updating it) can also remediate this vulnerability, having an Android-level patch can eliminate the possibility of this being exploited in other applications.”
Ted Miracco, chief executive officer at Approov, said recent zero-day vulnerabilities discovered in Android devices have raised concerns about their security. Miracco said while zero-day vulnerabilities are often extremely dangerous, it's worth noting that both iOS and Android devices are vulnerable to zero-day vulnerabilities, and no operating system — mobile or desktop — is immune to these security threats. Earlier this week Apple announced it patched two zero-days affecting iPhones, iPads, and Macs, bugs that were also added to CISA's KEV catalog.
“The closed system of iOS can, in fact, make it harder for security researchers to discover and report vulnerabilities, which means that vulnerabilities may go unnoticed for longer periods of time,” said Miracco. “Ultimately, the security of a device depends on the behavior of the end user as the most important factor. Good security practices on behalf of the user, when combined with the strength of the device's security features, and the speed with which security vulnerabilities are identified and addressed by the vendor is the best way to minimize the threat of zero-day vulnerabilities.”