Photo Credit: CSO Online
Researchers from security startup Lookout have found that Android apps digitally signed by China’s third-largest e-commerce giant used a zero-day vulnerability that allowed them to covertly take control of millions of end-user devices to collect personal data and install malicious apps.
According to a preliminary Lookout study, at least two off-Play Android versions of Pinduoduo used the vulnerability’s tracking number, CVE-2023-20963 to their advantage. Google rolled out changes two weeks ago, making them accessible to end users. Prior to Google’s disclosure, this privilege-escalation bug was being used to boost the app’s access rights. These rights were used by the app to run code that had been downloaded from a site that was only accessible to developers.
Photo Credit: IT PRO
One of three Lookout experts who examined the file claimed that the malicious programs reflect “a pretty sophisticated attack for an app-based virus.” Christoph Hebeisen noted this in an email. “In recent years, mass-distributed apps have rarely been the target of attacks. Given the very invasive nature of such sophisticated app-based malware, mobile users must guard against this threat.
Eugene Kolodenker and Paul Shunk, researchers for the Lookout, provided assistance to Hebeisen. The researcher also mentioned that Lookout’s analysis was hurried and that a more in-depth examination will probably uncover more flaws in the software.
An app called Pinduoduo connects buyers and sellers in online commerce. 751.3 million average monthly active users were recently recorded. Although PDD Holdings, the publicly traded parent company of Pinduoduo, is still smaller than its Chinese rivals JD.com and Alibaba, it has overtaken both companies as the fastest-growing e-commerce companies in the region.
Concerns about the Pinduoduo app initially appeared in a post from a research organization going by the name of Dark Navy last month (English translation here).
According to the English version, “well-known Internet manufacturers will continue to scour the present market for new Android OEM-related vulnerabilities and implement vulnerability assaults on popular mobile phone platforms.” It was said in the report that the app employed a “bundle feng shui-Android parcel serialization and deserialization [exploit] that seems unknown in recent years,” but neither the company nor the program were given names. Many code fragments from the purportedly malicious program were included in the post. “LuciferStrategy” appears in one of those strings.
Vindication for Dark Navy and davinci1012
The two days that Lookout’s analysis took place weren’t long enough to examine all the pertinent technical facets of the two Pinduoduo app samples. The downloading of a second-stage payload from the Internet further complicates the study. Because that this stage isn’t digitally signed, Lookout has been unable to identify it as coming from PDD Holdings.
There are a few probable conclusions given that there is little evidence that at least two Pinduoduo app samples signed with the official key contain zero-day exploit code.
Photo Credit: TechRadar
The code might exist as a result of:
- harmful code was intentionally distributed by Pinduoduo developers
a malevolent insider’s work
- a stolen secret key that was acquired by an outsider
- Attack against the Pinduoduo app’s software build system through the supplier chain
- Pinduoduo should be taken off Google Play, given the conditions.
Users of Pinduoduo who downloaded their program through Play or the App Store are unaffected because there is no proof that fraudulent versions of these stores exist. Android users who downloaded their software via a third-party market, which is almost universal in China, are less fortunate.