Android Privilege Escalation Bug Exploited to Spy on Chinese E-Commerce App Users

By Richard Anderson

A high-severity vulnerability in Android devices is being actively exploited to spy on users of a popular Chinese e-commerce app, according to a recent alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

The vulnerability is a privilege escalation bug in WorkSource, which affects Android-11, Android-12, Android-12L, Android-13, and Android ID: A-220302519. The flaw is tracked as CVE-2023-20963, has a CVSS v3 base score of 7.8 out of 10, and has recently been added to CISA’s Known Exploited Vulnerability catalog.

According to CISA, “Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed.” An exploit for the flaw has been included in the Chinese e-commerce app of the Chinese online retail giant, Pinduoduo.

Google removed the app from its Play Store as it was deemed potentially harmful as non-Play versions of the app had been discovered with malicious code that allowed unauthorized access to the device or data. The exploit is believed to have been added to the app to spy on app users, and there are reportedly 750 million active Pinduoduo app users a month. Kaspersky later reported that versions of the app had been discovered that could download additional malicious modules for spying on users, as they could access a user’s notifications and files.

Google addressed the flaw in the security updates released in early March 2023 and said at the time that evidence had been found to indicate it was being exploited in limited cases. The bug serves as a warning to all users about the importance of not postponing security updates and applying them as soon as possible. Due to the potential for exploitation, CISA requires all U.S. Federal Civilian Executive Branch Agencies to ensure their devices are updated within 3 weeks.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news