- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
CISA: Patch Bug Exploited by Chinese E-commerce App
A leading US security agency has given the government until May 4 to patch a zero-day vulnerability which was allegedly exploited by an e-commerce app to eavesdrop on users.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-20963 to its Known Exploited Vulnerabilities Catalog late last week.
The high severity vulnerability was patched by Google last month after the firm said it may be under “limited, targeted exploitation.”
Read more on malicious Android apps here: Malicious Android Apps Sold For Up to $20,000 on Darknet.
CISA explained that the bug enables attackers to escalate privileges on targeted devices without user interaction.
“Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed,” it noted.
Mobile security company Lookout confirmed late last month that the vulnerability, which has a CVSS score of 7.8, was being exploited by malicious versions of the Pinduoduo Android app. At least two versions of the popular Chinese e-commerce app available from third-party app stores were to blame.
Researchers said this could have enabled threat actors to covertly and remotely control millions of devices, to steal data and install additional malware.
With over 750 million monthly active users, Pinduoduo is one of the world’s most popular destinations for online shopping. The firm has denied its software is malicious, even though the two apps analyzed by researchers were apparently signed with an official key.
The Pinduoduo app has been temporarily pulled from the official Play store, but most Chinese consumers rely on third-party app stores to source their Android downloads.
Although the CISA catalog of known vulnerabilities is designed to force federal government agencies to improve patching processes, it is also strongly recommended that private enterprises use the same tool to help prioritize their efforts in this area.