April 14, 2023Rabbi LakshmananMobile Security / Cyber ​​Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) Added Two vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploits.

Two flaws are listed below.

  • CVE-2023-20963 (CVSS score: 7.8) – Android framework privilege escalation vulnerability
  • CVE-2023-29492 (CVSS Score: TBD) – Novi Research Insecure Deserialization Vulnerability

“The Android framework contains an unspecified vulnerability that allows privilege escalation without requiring additional execution permissions after updating an app to a higher target SDK,” CISA said. . Said In the advisory for CVE-2023-20963.

Google announced in its March 2023 monthly Android security bulletin, Admitted “There are indications that CVE-2023-20963 may be under limited targeted attacks.”

Development is provided as a technical news site, Ars Technica. disclosed An Android app digitally signed by Chinese e-commerce company Pinduoduo is weaponizing the flaw as a zero-day attack to take control of devices and steal sensitive data, citing analysis by mobile security firm Lookout. was announced at the end of last month.

The main functions of the malware-laden app include increasing Pinduoduo’s daily and monthly active users, uninstalling competing apps, accessing notifications and location, and preventing itself from being uninstalled. included.

CNN, ex-post report Analysis of version 6.49.0 of the app revealed code designed to achieve privilege escalation and even track user activity in other shopping apps.

The exploit allowed the malicious app to access the user’s contacts, calendar and photo albums without the user’s consent, requesting “numerous permissions beyond the normal functionality of a shopping app,” the news channel said. I’m here.

Worth pointing out is that Google pause Pinduoduo’s official app, released from the Play Store in March, cites malware identified in an “off-play version” of the software.

upcoming webinars

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!

Save my seat!

However, it is still unclear how these APK files were signed with the same key used to sign the legitimate Pinduoduo app. This indicates either a compromised key, the work of a rogue insider, a compromise of Pinduoduo’s build pipeline, or a deliberate malware distribution attempt by a Chinese company.

The second vulnerability added to the KEV catalog relates to an insecure deserialization vulnerability in Novi Survey software that allows remote attackers to execute code on the server in the context of a service account.

The issue affecting versions of Novi Survey prior to 8.9.43676 is handle It was reported by the Boston-based provider earlier this week on April 10, 2023. It is currently unknown how this flaw is being exploited in real-world attacks.

To combat the risks posed by the vulnerability, US Federal Civil Administration (FCEB) agencies recommend applying the required patches by May 4, 2023.

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.

cropped-BTA_Logo-B-1-scaled-1
YOUR FUTURE STARTS HERE.

BLUE TRAINING ACADEMY

Register now for our membership to gain access to our elite training program and fast forward your career today!

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

cropped-BTA_Logo-B-1-scaled-1
Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog