Severe Android and Novi Survey Vulnerabilities Under Active Exploitation

Apr 14, 2023Ravie LakshmananMobile Security / Cyber Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
has added ^[1]
two vulnerabilities to its Known Exploited Vulnerabilities (KEV)
catalog, based on evidence of active exploitation.

The two flaws are listed below –

CVE-2023-20963^[2] (CVSS score: 7.8) –
Android Framework Privilege Escalation Vulnerability
CVE-2023-29492^[3] (CVSS score: TBD) – Novi
Survey Insecure Deserialization Vulnerability

“Android Framework contains an unspecified vulnerability that
allows for privilege escalation after updating an app to a higher
Target SDK with no additional execution privileges needed,” CISA
said ^[4]
in an advisory for CVE-2023-20963.

Google, in its monthly Android Security Bulletin for March 2023,
acknowledged ^[5]
“there are indications that CVE-2023-20963 may be under limited,
targeted exploitation.”

The development comes as tech news site Ars Technica disclosed ^[6]
late last month that Android apps digitally signed by China’s
e-commerce company Pinduoduo weaponized the flaw to seize control
of the devices and steal sensitive data, citing analysis from
mobile security firm Lookout.

Chief among the capabilities of the malware-laced app includes
inflating the number of Pinduoduo daily active users and monthly
active users, uninstalling rival apps, accessing notifications and
location information, and preventing itself from being
uninstalled.

CNN, in a follow-up report ^[7]
published earlier this month, said an analysis of the 6.49.0
version of the app revealed code designed to achieve privilege
escalation and even track user activity on other shopping apps.

The exploits allowed the malicious app to access users’
contacts, calendars, and photo albums without their consent and
requested a “large number of permissions beyond the normal
functions of a shopping app,” the news channel said.

It’s worth pointing out that Google suspended ^[8]
Pinduoduo’s official app from the Play Store in March, citing
malware identified in “off-Play versions” of the software.

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark
web – Join this expert-led webinar!

Save My
Seat!^[9]

That said, it’s still not clear how these APK files were signed
with the same key used to sign the legitimate Pinduoduo app. This
either points to a key leak, the work of a rogue insider, a
compromise of Pinduoduo’s build pipeline, or a deliberate attempt
by the Chinese company to distribute malware.

The second vulnerability added to the KEV catalog relates to an
insecure deserialization vulnerability in Novi Survey software that
allows remote attackers to execute code on the server in the
context of the service account.

The issue, which impacts Novi Survey versions prior to
8.9.43676, was addressed ^[10] by the Boston-based
provider earlier this week on April 10, 2023. It’s currently not
known how the flaw is being abused in real-world attacks.

To counter the risks posed by the vulnerabilities, Federal
Civilian Executive Branch (FCEB) agencies in the U.S. are advised
to apply necessary patches by May 4, 2023.

Found this article interesting? Follow us on Twitter ^[11] and LinkedIn ^[12] to read more exclusive
content we post.