One of two vulnerabilities recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within its Known Exploited Vulnerabilities (KEV) catalog is within the Android mobile operating system—and the agency reports that it has seen evidence of active exploitation.
The weakness is:
CVE-2023-20963 (CVSS score: 7.8) - Android Framework Privilege Escalation Vulnerability
CISA stated in its advisory that, "Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed."
For Google’s part, it conceded in its monthly Android Security Bulletin for March 2023, "there are indications that CVE-2023-20963 may be under limited, targeted exploitation."
A news site focused on technology, Ars Technica, wrote last month about their research into how Android apps that were digitally signed by a Chinese e-commerce company called Pinduoduo had weaponized the Android flaw in a zero-day exploitation attack used to gain control of users’ devices and to extract sensitive data. Ars Technica’s article was drawing upon analysis from a mobile security firm, Lookout.
Among the many capabilities of the infected app in the store was the ability for the software to inflate the number of Pinduoduo daily and monthly active users (likely to drive up the app’s popularity rating in the store and thereby increase the number of users). The app could also uninstall rival apps, prevent itself from being uninstalled, and access notifications and location information.
CNN published a follow-up report in which it revealed that an analysis of the 6.49.0 version of the app found code that was designed to obtain privilege escalation and track user activity on alternate shopping apps on the phone. Among other capabilities, the threat actors were able to access users' calendar, contacts, and photo albums without users’ knowledge. The apps requested a "large number of permissions beyond the normal functions of a shopping app," according to CNN.
Google suspended Pinduoduo's app from the Play Store in March due to malware identified in versions of the software obtained from non-Play sources.
Still under investigation is the method by which the off-Play APK files were signed with the exact same key used to sign the legitimate Pinduoduo app. The likely causes are a key leak, a rogue insider, or exploitation of weak security in the company’s build pipeline. It is also possible that this was a deliberate attempt by the Chinese company to spread malware.
This continues a trends among higher-grade attackers to target mobile devices for exploitation of flaws, especially as many companies have moved to using mobile devices for delivery of multi-factor authentication (MFA) one-time passwords (OTPs). The access gained by the Android app could easily have been leverage to that end, with much of the other components of the malware either used as misdirection or for side benefits. Secure mobile management and proper MFA implementation are just two of a number of key components of an effective security program; contact Webcheck Security today to learn how we can analyze your current state and provide roadmaps for improving your security posture.