Home Security Extreme Android and Novi Survey Vulnerabilities Underneath Energetic Exploitation

Extreme Android and Novi Survey Vulnerabilities Underneath Energetic Exploitation

by crpt os


Apr 14, 2023Ravie LakshmananMobile Security / Cyber Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The two flaws are listed below –

  • CVE-2023-20963 (CVSS score: 7.8) – Android Framework Privilege Escalation Vulnerability
  • CVE-2023-29492 (CVSS score: TBD) – Novi Survey Insecure Deserialization Vulnerability

“Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed,” CISA said in an advisory for CVE-2023-20963.

Google, in its monthly Android Security Bulletin for March 2023, acknowledged “there are indications that CVE-2023-20963 may be under limited, targeted exploitation.”

The development comes as tech news site Ars Technica disclosed late last month that Android apps digitally signed by China’s e-commerce company Pinduoduo weaponized the flaw to seize control of the devices and steal sensitive data, citing analysis from mobile security firm Lookout.

Chief among the capabilities of the malware-laced app includes inflating the number of Pinduoduo daily active users and monthly active users, uninstalling rival apps, accessing notifications and location information, and preventing itself from being uninstalled.

CNN, in a follow-up report published earlier this month, said an analysis of the 6.49.0 version of the app revealed code designed to achieve privilege escalation and even track user activity on other shopping apps.

The exploits allowed the malicious app to access users’ contacts, calendars, and photo albums without their consent and requested a “large number of permissions beyond the normal functions of a shopping app,” the news channel said.

It’s worth pointing out that Google suspended Pinduoduo’s official app from the Play Store in March, citing malware identified in “off-Play versions” of the software.

UPCOMING WEBINAR

Master the Art of Dark Web Intelligence Gathering

Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!

Save My Seat!

That said, it’s still not clear how these APK files were signed with the same key used to sign the legitimate Pinduoduo app. This either points to a key leak, the work of a rogue insider, a compromise of Pinduoduo’s build pipeline, or a deliberate attempt by the Chinese company to distribute malware.

The second vulnerability added to the KEV catalog relates to an insecure deserialization vulnerability in Novi Survey software that allows remote attackers to execute code on the server in the context of the service account.

The issue, which impacts Novi Survey versions prior to 8.9.43676, was addressed by the Boston-based provider earlier this week on April 10, 2023. It’s currently not known how the flaw is being abused in real-world attacks.

To counter the risks posed by the vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies in the U.S. are advised to apply necessary patches by May 4, 2023.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex