Google and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning about an Android vulnerability, CVE-2023-20963, that was reportedly exploited as a zero-day by the Chinese shopping app Pinduoduo, affecting millions of devices. The flaw has been added to CISA's known exploited vulnerabilities (KEV) catalog following Google's confirmation of the exploitation.
On March 21, Google suspended Pinduoduo from its app store after discovering malware in versions of the app distributed through other websites. Pinduoduo denied these allegations at the time. Chinese researchers had reported observing malicious behavior associated with the app, accusing the company of ensnaring the devices of hundreds of millions of users into a botnet. The researchers claimed that Pinduoduo apps exploit Android and OEM-specific vulnerabilities, collect user and application data, deploy backdoors, install other apps, and bypass security features.
Approximately a week after Google removed the Pinduoduo app, researchers at mobile security firm Lookout confirmed that the application does indeed appear to attempt to take control of devices, harvest data, and install other software, with millions of devices potentially being impacted. Lookout also discovered that the application exploited the Android vulnerability CVE-2023-20963, with exploitation beginning before Google released a patch in March. Google describes CVE-2023-20963 as a high-severity privilege escalation flaw affecting Android's framework component. In April, Google updated its March 2023 Android security bulletin to inform users that "there are indications that CVE-2023-20963 may be under limited, targeted exploitation."
CISA added the vulnerability to its KEV catalog on Thursday, which is also known as a 'must patch' list due to organizations being strongly urged to address the included flaws. The agency has instructed government organizations to patch it within the next two weeks. In addition to CVE-2023-20963, CISA added to its KEV catalog a vulnerability affecting installable survey software made by Novi Survey. Novi Survey published an advisory informing customers about CVE-2023-29492, which the company says allows a remote attacker to execute arbitrary code on the server. "The vulnerability does not provide access to survey or response data stored within the system," Novi explained. However, the public advisory does not mention anything about in-the-wild exploitation, and there do not appear to be any reports about attacks involving the vulnerability. It is unclear if the company has warned customers privately about the threat.
Google called on vendors to be more transparent when it comes to vulnerability exploitation on Thursday, stating that "Vendors should make users, supply chain partners, and the community aware of the exploitation and notify victims in a timely manner through public disclosure and direct outreach where possible. [...] Additional details of vulnerabilities and exploits should be shared to improve researcher knowledge and defenses."