Severe Android and Novi Survey Vulnerabilities Under Active Exploitation
The US Cybersecurity and Infrastructure Agency (CISA) has added two vulnerabilities to the Exploited Vulnerabilities catalog (KEV), based on evidence of active exploitation.
The two drawbacks are listed below –
- CVE-2023-20963 (CVSS Score: 7.8) – Android Framework Privilege Escalation Vulnerability
- CVE-2023-29492 (CVSS Score: TBD) – Novi Unsafe Deserialization Vulnerability Survey
“The Android Framework contains an unspecified vulnerability that allows privilege escalation after updating an application to a higher Target SDK without requiring additional execution privileges,” CISA said in advisory to CVE-2023-20963.
Google, in its monthly Android Security Bulletin for March 2023, acknowledged “there are indications that CVE-2023-20963 may be under a targeted restricted exploit.”
The development appears as technology news site Ars Technica disclosed late last month that a digitally signed Android app by Chinese e-commerce firm Pinduoduo armed the flaw to seize control of the device and steal sensitive data, citing analysis from mobile security firm Lookout.
Key among the malware-containing app’s capabilities include increasing Pinduoduo’s daily active user count and monthly active users, uninstalling rival apps, accessing notifications and location information, and preventing self-uninstallation.
CNN, in a follow-up report published at the beginning of the month, said an analysis of version 6.49.0 of the app revealed code designed to achieve privilege escalation and even track user activity on other shopping apps.
The exploit allowed the malicious app to access a user’s contacts, calendar and photo albums without their consent and to request “a large number of permissions outside of the normal functionality of a shopping app,” the news channel said.
It should be noted that Google depends The official Pinduoduo app from the Play Store in March, cited malware identified in an “off-Play version” of the software.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
Nonetheless, it remains unclear how these APK files are signed with the same key used to sign legitimate Pinduoduo applications. This could point to a key leak, the work of a rogue insider, a compromise of the Pinduoduo manufacturing pipeline, or a deliberate attempt by a Chinese company to distribute malware.
The second vulnerability added to the KEV catalog relates to an insecure deserialization vulnerability in Novi Survey software that allowed a remote attacker to execute code on a server in the context of a service account.
The problem affecting Novi Survey versions prior to 8.9.43676 is addressed by a Boston-based provider earlier this week on April 10, 2023. It is currently unknown how the flaw is abused in real-world attacks.
To address the risks posed by the vulnerability, the Federal Civilian Executive Branch (FCEB) in the US was advised to apply the required patch by May 4, 2023.
