"CISA: Patch Bug Exploited by Chinese E-commerce App"

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2023-20963 to its Known Exploited Vulnerabilities Catalog.  CISA has given the government until May 4 to patch the zero-day vulnerability, which was allegedly exploited by an e-commerce app to eavesdrop on users.  The high severity vulnerability was patched by Google last month after the firm said it may be under "limited, targeted exploitation."  CISA stated that Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed.  Mobile security company Lookout confirmed late last month that the vulnerability, which has a CVSS score of 7.8, was being exploited by malicious versions of the Pinduoduo Android app.  At least two versions of the popular Chinese e-commerce app available from third-party app stores were to blame.  With over 750 million monthly active users, Pinduoduo is one of the world's most popular destinations for online shopping.  The firm has denied its software is malicious, even though the two apps analyzed by researchers were apparently signed with an official key.  The Pinduoduo app has been temporarily pulled from the official Play store, but most Chinese consumers rely on third-party app stores to source their Android downloads.  Although the CISA catalog of known vulnerabilities is designed to force federal government agencies to improve patching processes, it is also strongly recommended that private enterprises use the same tool to help prioritize their efforts in this area. 

Infosecurity reports: "CISA: Patch Bug Exploited by Chinese E-commerce App"