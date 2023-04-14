



The Android vulnerability reportedly exploited as a zero-day by a Chinese application against millions of devices is now managed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) after Google confirmed the exploit Added to the Known Exploited Vulnerabilities Catalog.

Google announced on March 21 that it had suspended the app store of Pinduoduo, a popular shopping app in China. This is because malware was found in the version of the app distributed through his other website. At the time, the Chinese company denied the allegations.

Google’s decision comes after Chinese researchers reported observing malicious behavior related to Pinduoduo, accusing the company of entrapping the devices of hundreds of millions of users in a botnet.

Researchers claimed that the Pinduoduo app exploited Android and OEM-specific vulnerabilities to collect user and application data, deploy backdoors, install other apps, and bypass security features.

About a week after Google announced its removal of the Pinduoduo app, researchers at mobile security firm Lookout told Ars Technica that the application was actually controlling devices, collecting data, and installing other software. It seems to be trying and we have confirmed that millions of devices may be affected. .

Lookout also discovered that the application exploited an Android vulnerability tracked as CVE-2023-20963. This exploit had started before Google released his March patch.

Google describes CVE-2023-20963 as a critical privilege escalation flaw affecting Android framework components. The internet giant updated his Android Security Bulletin for March 2023 sometime in his April, notifying users that CVE-2023-20963 may be under limited targeted attacks. was notified.

CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on Thursday. This catalog is also known as the mandatory patch list because organizations are strongly encouraged to address the defects it contains. The agency has instructed the agency to apply the patch within the next two weeks.

In addition to CVE-2023-20963, CISA has added a vulnerability to the KEV catalog affecting installable survey software made by Novi Survey.

Novi Survey has published an advisory informing customers about CVE-2023-29492. This allows remote attackers to execute arbitrary code on the server, the company said.

Novi explained that the vulnerability does not provide access to survey or response data stored within the system.

However, the published advisory does not mention any actual exploitation, and there appear to be no reports of attacks involving the vulnerability.

SecurityWeek reached out to Novi Survey to confirm whether the company was aware of the attack and whether it had notified its customers. It’s unclear if the company has personally warned customers about this threat.

On Thursday, Google asked vendors to be more transparent about exploiting the vulnerability.

Vendors must make their users, supply chain partners, and communities aware of exploits and, where possible, notify victims in a timely manner through public disclosure and direct outreach. [] Google says it needs to share additional details of vulnerabilities and exploits to improve researchers’ knowledge and defenses.

Update: Novi Survey tells SecurityWeek that all relevant information can be found in the CVE and advisory posted on our site’s blog.

