An emerging Android banking trojan dubbed Nexus has already been adopted by several threat actors to target 450 financial applications and conduct fraud.
"Nexus appears to be in its early stages of development," Italian cybersecurity firm Cleafy said in a report published this week.
"Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and

Mobile Security / Banking

An emerging Android banking trojan dubbed **Nexus** has already been adopted by several threat actors to target 450 financial applications and conduct fraud.

"Nexus appears to be in its early stages of development," Italian cybersecurity firm Cleafy said in a report published this week.

"Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception."

The trojan, which appeared in various hacking forums at the start of the year, is advertised as a subscription service to its clientele for a monthly fee of $3,000. Details of the malware were first documented by Cyble earlier this month.

However, there are indications that the malware may have been used in real-world attacks as early as June 2022, at least six months before its official announcement on darknet portals.

It's also said to overlap with another banking trojan dubbed SOVA, reusing parts of its source code and incorporating a ransomware module that appears to be under active development.

A point worth mentioning here is that Nexus is the same malware that Cleafy initially classified as a new variant of SOVA (dubbed v5) in August 2022.

Interestingly, the Nexus authors have laid out explicit rules that prohibit the use of its malware in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia.

The malware, like other banking trojans, contains features to take over accounts related to banking and cryptocurrency services by performing overlay attacks and keylogging to steal users' credentials.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Furthermore, it's capable of reading two-factor authentication (2FA) codes from SMS messages and the Google Authenticator app through the abuse of Android's accessibility services.

Some new additions to the list of functionalities is its ability to remove received SMS messages, activate or stop the 2FA stealer module, and update itself by periodically pinging a command-and-control (C2) server.

"The \[Malware-as-a-Service\] model allows criminals to monetize their malware more efficiently by providing a ready-made infrastructure to their customers, who can then use the malware to attack their targets," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes.
The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS

Cyber Attack / Browser Security

German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as **Kimsuky** using rogue browser extensions to steal users' Gmail inboxes.

The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS).

The intrusions are designed to strike "experts on the Korean Peninsula and North Korea issues" through spear-phishing campaigns, the agencies noted.

Kimsuky, also known Black Banshee, Thallium, and Velvet Chollima, refers to a subordinate element within North Korea's Reconnaissance General Bureau and is known to "collect strategic intelligence on geopolitical events and negotiations affecting the DPRK's interests."

Primary targets of interest include entities in the U.S. and South Korea, particularly singling out individuals working within the government, military, manufacturing, academic, and think tank organizations.

"This threat actor's activities include collecting financial, personal, and client data specifically from academic, manufacturing, and national security industries in South Korea," Google-owned threat intelligence firm Mandiant disclosed last year.

Recent attacks orchestrated by the group suggest an expansion of its cyber activity to encompass Android malware strains such as FastFire, FastSpy, FastViewer, and RambleOn.

The use of Chromium-based browser extensions for cyber espionage purposes is not new for Kimsuky, which has previously used similar techniques as part of campaigns tracked as Stolen Pencil and SharpTongue.

The SharpTongue operation also overlaps with the latest effort in that the latter is also capable of stealing a victim's email content using the rogue add-on, which, in turn, leverages the browser's DevTools API to perform the function.

But in an escalation of Kimsuky's mobile attacks, the threat actor has been observed logging into victims' Google accounts using credentials already obtained in advance through phishing tactics and then installing a malicious app on the devices linked to the accounts.

"The attacker logs in with the victim's Google account on the PC, accesses the Google Play Store, and requests the installation of a malicious app," the agencies explained. "At this time, the target's smartphone linked with the Google account is selected as the device to install the malicious app on."

It's suspected that the apps, which embed FastFire and FastViewer, are distributed using a Google Play feature known as "internal testing" that allows third-party developers to distribute their apps to a "small set of trusted testers."

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

A point worth mentioning here is that these internal app tests, which are carried out prior to releasing the app to production, cannot exceed 100 users per app, indicating that the campaign is extremely targeted in nature.

Both the malware-laced apps come with capabilities to harvest a wide range of sensitive information by abusing Android's accessibility services. The apps are listed below -

*   com.viewer.fastsecure (FastFire)
*   com.tf.thinkdroid.secviewer (FastViewer)

The disclosure comes as the North Korean advanced persistent threat (APT) actor dubbed ScarCruft has been linked to different attack vectors that are employed to deliver PowerShell-based backdoors onto compromised hosts.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

German and South Korean Agencies Warn of Kimsuky's Expanding Cyber Attack Tactics

XunRuiCMS v4.3.3 to v4.5.1 vulnerable to PHP file write and CMS PHP file inclusion, allows attackers to execute arbitrary php code, via the add function in cron.php.

CVE-2022-30037: XunRuiCMS v4.3.3 to v4.5.1 backstage code injection vulnerability(file write and file inclusion)

Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the app. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.

**Google** says it has suspended the app for the Chinese e-commerce giant **Pinduoduo** after malware was found in versions of the app. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.

In November 2022, researchers at Google’s Project Zero warned about active attacks on **Samsung** mobile phones which chained together three security vulnerabilities that Samsung patched in March 2021, and which would have allowed an app to add or read any files on the device.

Google said it believes the exploit chain for Samsung devices belonged to a “commercial surveillance vendor,” without elaborating further. The highly technical writeup also did not name the malicious app in question.

On Feb. 28, 2023, researchers at the Chinese security firm **DarkNavy** published a blog post purporting to show evidence that a major Chinese ecommerce company’s app was using this same three-exploit chain to read user data stored by other apps on the affected device, and to make its app nearly impossible to remove.

The three Samsung exploits that DarkNavy says were used by the malicious app. In November 2022, Google documented these three same vulnerabilities being used together to compromise Samsung devices.

DarkNavy likewise did not name the app they said was responsible for the attacks. In fact, the researchers took care to redact the name of the app from multiple code screenshots published in their writeup. DarkNavy did not respond to requests for clarification.

“At present, a large number of end users have complained on multiple social platforms,” reads a translated version of the DarkNavy blog post. “The app has problems such as inexplicable installation, privacy leakage, and inability to uninstall.”

On March 3, 2023, a denizen of the now-defunct cybercrime community **BreachForums** posted a thread which noted that a unique component of the malicious app code highlighted by DarkNavy also was found in the ecommerce application whose name was apparently redacted from the DarkNavy analysis: Pinduoduo.

A Mar. 3, 2023 post on BreachForums, comparing the redacted code from the DarkNavy analysis with the same function in the Pinduoduo app available for download at the time.

On March 4, 2023, e-commerce expert **Liu Huafang** posted on the Chinese social media network **Weibo** that Pinduoduo’s app was using security vulnerabilities to gain market share by stealing user data from its competitors. That Weibo post has since been deleted.

On March 7, the newly created Github account Davinci1010 published a technical analysis claiming that until recently Pinduoduo’s source code included a “backdoor,” a hacking term used to describe code that allows an adversary to remotely and secretly connect to a compromised system at will.

That analysis includes links to archived versions of Pinduoduo’s app released before March 5 (version 6.50 and lower), which is when Davinci1010 says a new version of the app removed the malicious code.

Pinduduo has not yet responded to requests for comment. Pinduoduo parent company **PDD Holdings** told Reuters Google has not shared details about why it suspended the app.

The company told CNN that it strongly rejects “the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google,” and said there were “several apps that have been suspended from Google Play at the same time.”

Pinduoduo is among China’s most popular e-commerce platforms, boasting approximately 900 million monthly active users.

Most of the news coverage of Google’s move against Pinduoduo emphasizes that the malware was found in versions of the Pinduoduo app available outside of Google’s app store — **Google Play**.

“Off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” a Google spokesperson said in a statement to Reuters, adding that the Play version of the app has been suspended for security concerns.

However, Google Play is not available to consumers in China. As a result, the app will still be available via other mobile app stores catering to the Chinese market — including those operated by **Huawei**, **Oppo**, **Tencent** and **VIVO**.

Google said its ban did not affect the PDD Holdings app **Temu**, which is an online shopping platform in the United States. According to The Washington Post, four of the Apple App Store’s 10 most-downloaded free apps are owned by Chinese companies, including Temu and the social media network **TikTok**.

The Pinduoduo suspension comes as lawmakers in Congress this week are gearing up to grill the CEO of TikTok over national security concerns. TikTok, which is owned by Beijing-based **ByteDance**, said last month that it now has roughly 150 million monthly active users in the United States.

A new cybersecurity strategy released earlier this month by the Biden administration singled out China as the greatest cyber threat to the U.S. and Western interests. The strategy says China now presents the “broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”

Google Suspends Chinese E-Commerce App Pinduoduo Over Malware

Image-editing tools from Google and Microsoft contain the “aCropalypse” bug, which can reveal information users intentionally removed.

At the beginning of March, Google released an update for its flagship Pixel smartphones to patch a vulnerability in the devices’ default photo-editing tool, Markup. Since its 2018 introduction in Android 9, Markup’s photo-cropping tool had been quietly leaving data in a cropped image file that could be used to reconstruct some or all of the original image beyond the confines of the crop. Though now fixed, the vulnerability is significant because Pixel users have for years been making, and in many cases presumably sharing, cropped images that may still contain the private or sensitive data the user was attempting to eliminate. But it gets worse.

The bug, dubbed “aCropalypse,” was discovered and originally submitted to Google by security researcher and college student Simon Aarons, who collaborated on the work with fellow reverse engineer David Buchanan. The pair were stunned to discover this week that a very similar version of the vulnerability is also present in other photo-cropping utilities from a totally separate yet equally ubiquitous codebase: Windows. The Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool are vulnerable in cases where a user takes a screenshot, saves it, crops the screenshot, and then saves the file again. Photos cropped with Markup, meanwhile, retained too much data even when the user applied the crop before first saving the photo. 

Microsoft told WIRED on Wednesday that it is “aware of these reports” and that it is “investigating,” adding, “we will take action as needed.”

“It was pretty mind-blowing really, it was as if lightning had just struck twice,” says Buchanan. “The original Android vulnerability was already surprising enough that it hadn’t been discovered already. It was quite surreal.”

Now that the vulnerabilities are out in the open, researchers have started uncovering old discussions on programming forums where developers noticed the odd behavior of the cropping tools. But Aarons seems to have been the first to recognize the potential security and privacy implications—or at least the first to bring the findings to Google and Microsoft.

“I actually noticed it at about 4 in the morning by total accident when I spotted that a small screenshot I sent of white text on a black background was a 5 MB file, and that didn’t seem right to me,” Aarons says.

Images impacted by aCropalypse often can’t be completely recovered, but they can be substantially reconstructed. Aarons provided examples, including one in which he was able to recover his credit card number after he attempted to crop it out of a photo. In short, there is a population of photos out there that contain more information than they should—specifically, information that someone intentionally tried to remove.

Microsoft hasn’t issued any fixes yet, but even those released by Google don’t mitigate the situation for existing image files cropped in the years when the tool was still vulnerable. Google points out, though, that image files shared on some social media and communication services may automatically strip out the errant data.

“As part of their existing compression process, apps and websites that recompress images, like Twitter, Instagram, or Facebook, delete extra data automatically from images uploaded. Images posted to sites like these are not at risk,” Google spokesperson Ed Fernandez says in a statement.

The researchers point out, though, that this is not true of all platforms, including Discord.

As a Discord user, Buchanan say he kept seeing people posting cropped screenshots, and it was really hard to not say anything before the vulnerability was publicly disclosed.

Steven Murdoch, a professor of security engineering at University College London, notes that in 2004 he discovered a vulnerability in which an older version of an image was stored in the thumbnail data for the image even after it had been altered.  

“This isn’t the first time I’ve seen this sort of vulnerability,” Murdoch says. “And I think the reason is because when software is written, it’s tested to make sure that the thing you expect is there. You save an image, you can open the image, and then you’re done. What is not checked is whether there is accidentally extra data stored.”

The thumbnail vulnerability Murdoch found in 2004 was conceptually similar to aCropalypse from a data privacy standpoint but had very different technical underpinnings because of issues in application programming interface design. And Murdoch emphasizes that while he sees aCropalypse as a problem for users whose affected photos are already out in the world, its biggest impact may come from the discussions it has raised about how to promote better security practices in API development and implementation.

“This has triggered some interesting conversations about API design and what do you do to teach people to avoid this sort of vulnerability in the future? This is not something that we train people to deal with,” Murdoch says. “It’s not one of these ‘sky is falling’ vulnerabilities, but it’s not good.”

Bug in Google Markup, Windows Photo-Cropping Tools Exposes Removed Image Data

**NEW YORK** **,** **March 22, 2023** **/PRNewswire/ --** Lightspin, the leading cloud security solution for SaaS companies, today launched the Remediation Hub as part of its cloud-native application protection platform (CNAPP) solution. An evolution of Lightspin's root cause analysis feature, the Remediation Hub provides users the ability to dynamically remediate the most critical cloud environment risks, at scale. As a result, organizations can quickly identify and fix the security threats that matter most. 

"Our Remediation Hub was born out of the overwhelming positive customer response to our root cause analysis feature," said Vladi Sandler, co-founder and CEO for Lightspin. "The Remediation Hub expands on our industry-leading capabilities and helps maximize remediation depth and breadth for overlapping critical issues discovered, thus improving efficiency and reducing the time spent on one-off fixes. By providing the much-needed context, the Remediation Hub allows users to reduce the most risk with minimum actions."

Lightspin analyzes the root cause of all risks detected in the cloud environment including vulnerabilities, misconfigurations, identity risks and prioritizes remediation steps based upon a quantified risk score produced by Lightspin's proprietary algorithm. It then generates the proposed remediation to the root cause – Lightspin is the only CNAPP solution to offer remediation with dynamic guardrails for DevOps. Security teams can quickly and easily see how much a remediation action will improve the security score of their cloud environment. 

In a real-world example, a cloud environment has a root cause risk source of an unpatched image. The image has 100 vulnerabilities and there are five EC2 instances using the image. Most tools will flag 500 vulnerabilities to fix. With Lightspin's root cause analysis, the security team can see that there is only one necessary action: fix the image. 

Other cloud security tools push automated corrective remediation in users' public clouds, but this approach can actually add risk and cause more issues if not implemented carefully. Lightspin's Remediation Hub instead offers recommended remediation with the flexibility for teams to select to apply these fixes to their environments or to modify them to suit their unique organizational requirements.

The Remediation Hub also enables ticketing management via platforms such as Jira and ServiceNow, giving security teams capability to assign owners and track results right in the platform dashboard without navigating to another tool. By centralizing the Lightspin recommended actions and remediations discovered, security teams can simplify and streamline workflows to easily address and understand the root cause of vulnerabilities in their cloud environment. 

**Follow Lightspin**  
LinkedIn: https://www.linkedin.com/company/lightspin/  
Twitter: @lightspintech  
Blog: https://blog.lightspin.io/

**About Lightspin**

Lightspin is the #1 cloud security solution for SaaS companies of all sizes. Agentless and easy to deploy, Lightspin's Cloud Native Application Protection Platform (CNAPP) efficiently prioritizes and remediates cloud security risks in minutes using the industry's only Attack Path Engine built on the graph. Supporting Amazon Web Services, Google Public Cloud, Microsoft Azure and Kubernetes, Lightspin simplifies cloud security and compliance via its self-serve offering and graph-based algorithms. Based in New York and Tel Aviv, Lightspin is backed by Dell Technologies Capital, IBM, and Ibex Investors. Leading SaaS companies such as Imperva, ITV, Kaltura, PageUp and Riskified trust Lightspin to protect their data and workloads in the cloud. Learn more at www.lightspin.io.

Lightspin Launches Remediation Hub to Identify and Fix Cloud Security Threats

A new Tech Insight report examines how the enterprise attack surface is expanding and how organizations must deal with vulnerabilities in emerging technologies.

Keeping applications and networks secure can seem like a Sisyphean task. No matter how much time and resources security and IT teams devote to vulnerability assessment, patching, and other mitigations to reduce cyber-risk, they are not enough. In fact, vulnerability management can feel like a series of never-ending tasks.

There is no shortage of vulnerabilities under attack by criminals. Last year saw major vulnerabilities, such as Log4Shell, Ruby on Rails (Follina), and Spring4Shell, plus flaws in Google Chrome, F5 BIG-IP, Microsoft Office, and Atlassian Confluence, to name a few.

The Cybersecurity Infrastructure Agency's Known Exploited Vulnerabilities catalog currently lists vulnerabilities in widely used enterprise applications, such as Oracle eBusiness suite, SugarCRM, Zoho, Control Web Panel, and Microsoft Exchange Server.

And common, yet dangerous vulnerabilities persistently make their way into Web applications, such as broken access control, cryptographic failures, security misconfigurations, and vulnerable and outdated components.

However, enterprise security teams can’t consider their jobs done just by mitigating these types of vulnerabilities. As they adopt new technologies, enterprises need to expand their vulnerability and attack surface management programs accordingly.

A new Dark Reading Tech Insight report examines key areas for enterprise security teams to pay attention to: firmware, 5G networks, edge computing, operational technology and IT convergence, cloud vulnerabilities and misconfigurations, vulnerabilities in open source software, and vulnerabilities in continuous software development pipelines. The report details these types of vulnerabilities and how to mitigate them.

10 Vulnerability Types to Focus On This Year

Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.

An analysis of data associated with zero-day attacks in 2022 suggests that threat actors are increasingly probing for security weaknesses in edge-infrastructure technologies, including VPNs, firewalls, and IT management products.

Researchers from Mandiant tracked a total of 55 zero-day vulnerabilities that adversaries exploited in various malicious campaigns last year and found that 10 of them involved an Internet-facing edge device.

Among them were CVE-2022-1040 and CVE-2022-3236 in Sophos firewalls, CVE-2022-20821 in Cisco IOS, CVE-2022-42474 and CVE-2022-41226 in Fortinet's FortiOS, CVE-2022-288810 in Zoho ManageEngine, and CVE-2022-35247 in SolarWinds Serv-u.

**Hunting on the Edge**

Casey Charrier, Mandiant senior analyst at Google Cloud, says adversaries are focusing on edge technologies likely because they perceive enterprise organizations as having fewer capabilities around endpoint detection and response (EDR) than they have around network monitoring.

"That's definitely an element that we assess is a focus of Chinese threat groups right now," Charrier says. "As more organizations integrate Internet of Things (IoT) devices into their environment, they'll need to take this into consideration when evaluating security tools and the security of these devices."

The 55 zero-days that Mandiant observed adversaries using in 2022 are fewer than the all-time high of 81 that its researchers observed in 2021. Even so, the number was nearly three times higher than the 20 zero-days Mandiant observed being exploited in 2020.

**Chinese Actors Continue to Be Most Active Exploiters of Zero-Days**

As has been the case for some time now, Chinese state-sponsored threat groups exploited more zero-days in 2022 than any other threat group. Of the 13 zero-days that Mandiant was able to identify as likely exploited by a state-backed group, seven — or more than half — involved a Chinese advanced persistent threat (APT) group.

One example is CVE-2022-30190, a vulnerability in the Microsoft Windows Support Diagnostic Tool that enables remote code execution (RCE) via malicious Office documents, even when a user might have disabled macros. Chinese threat actors used the vulnerability, also referred to as "Follina," in numerous threat campaigns throughout the year, making it one of the most heavily exploited flaws of 2022.

Several of the zero-days that Chinese state actors leveraged in attacks last year targeted network devices. One example is CVE-2022-42475, a buffer-overflow flaw in FortiOS SSL VPN technology that a China-based actor used in a campaign last year to deliver a highly customized tool for exploiting Fortinet's FortiGate firewalls. Another flaw in this category that a Chinese actor abused is CVE-2022-41328, a path traversal vulnerability in FortiOS. Mandiant observed a Chinese group identified as UNC3886 exploiting the vulnerability in a potential cyber-espionage campaign. The same actor was previously associated with an attack campaign targeting VMware ESXi hypervisors using a new technique with malicious vSphere Installation Bundles.

Mandiant said it also observed zero-day exploit activity involving North Korean threat actors ticking up slightly in 2022 compared with previous years. The two zero-days that Mandiant identified North Korean actors exploiting were: CVE-2022-0609, a Google Chrome vulnerability that a North Korean group exploited in a campaign targeting the high tech, media, and financial sectors, and CVE-2022-41128, an RCE in Windows Server that North Korea's APT37 exploited in a phishing campaign.

**Financially Motivated Cyberattackers Want in on the Action Too**

Financially motivated threat actors continued to be another set of adversaries that actively exploited zero-day vulnerabilities last year, though not to the same extent as in 2021. Of the 16 zero-days for which Mandiant was able to attribute a motive, four were used in financially motivated attacks. Many of these attacks involved ransomware deployments. Examples include CVE-2022-29499, an RCE flaw in a Mitel VoIP appliance that a threat actor used to deploy Lorenz ransomware, and CVE-2022-41091, i.e. a Windows Mark of the Web flaw that the operator of the Magniber ransomware used in one campaign.

Since 2019, zero-day exploit activity involving ransomware groups has been increasing, says Charrier. "This is the case for a variety of reasons," Charrier notes. "For one, ransomware, as a proportion of all financially motivated activity, has continued to grow and take over the criminal ecosystem. Second, it can be more obfuscated in terms of tracking the money as well as tracking any sort of victim payments."

Microsoft, Google, and Apple topped the charts — as they always have — in terms of the number of zero-day vulnerabilities in their respective products. The three vendors together accounted for 37 of the 55 zero-days that Mandiant tracked last year. Fifteen of the zero-days in operating systems affected Windows and nine out of 11 browser zero-days were in Google Chrome.

At the same time, the number of zero-days that threat actors found and exploited in other technologies grew as well. As zero-day numbers increase, so do the number of vendors that are victims, Charrier says: "While the top three targeted vendors remain consistent, the variety of additional targeted vendors generally continues to expand and vary each year."

Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products

By Waqas
Pinduoduo has confirmed the incident, but denied the presence of malware in its app.
This is a post from HackRead.com Read the original post: Google Suspends Chinese Shopping App Pinduoduo Over Malware Concerns

****The company has criticized the cherry-picking of its app, arguing that other apps have been suspended at the same time and it’s not fair to single out their app.****

Google has temporarily suspended Pinduoduo, a leading Chinese budget shopping app, from its Play Store due to the discovery of malware in certain versions of the app.

The news of Pinduoduo’s ban came just a couple of weeks after Shein, another Chinese shopping giant, was caught copying clipboard content on Android phones of users who were using its older version.

In a statement issued on Tuesday, Google stated that it found malware in some versions of the app that were not available on the Play Store. The company has enforced Google Play Protect, which scans installed Android phone apps for malicious behaviour, on these allegedly harmful apps.

Google has set the Play Protect enforcement to block the installation of these apps and prompt users to uninstall them if they have already downloaded them to their devices.

Pinduoduo has confirmed that it is in communication with Google for further information, and it has also stated that several other apps have been suspended at the same time. Pinduoduo has over 900 million users and is one of China’s most popular e-commerce platforms.

Pinduoduo made a name for itself with its group-buying business model, which allowed users to save money by pooling together and buying items in bulk.

The app’s US-listed parent company, PDD, launched Temu, an online shopping platform in the United States last year, which has quickly become the most downloaded app in the US for both iOS and Android.

The app has been downloaded 24 million times since its launch in September and has more than 11 million monthly active users.

At the time of publication, the Pinduoduo app was unavailable on the Play Store. (Screenshot: Hackread.com)

In a statement, Pinduoduo said that “we strongly reject the speculation and accusation by some anonymous researcher and non-conclusive response from Google that Pinduoduo app is malicious.”

Malware refers to any software developed to steal data or damage computer systems and mobile devices. When hidden in apps, it can be used to gain unauthorized access to information on a user’s phone.

Google has not mentioned Temu in its statement, and the app is still available to download on the Play Store. Pinduoduo has strongly rejected the accusations of malicious activity and speculation surrounding the suspension of its app.

1.  Google removes ClearURLs Chrome extension
2.  Google Ads drop FatalRAT in fake messenger apps
3.  Apple removes Clearview AI iPhone app from Store
4.  Zombinder Lets Hackers Add Malware to Legit Apps
5.  Google bans Avast security extensions over snooping

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Google Suspends Chinese Shopping App Pinduoduo Over Malware Concerns

The documentation for the python CGI module suffers from a cross site scripting vulnerability.

    Is there low hanging fruit for the following observation?The documentation of the python cgi module is vulnerable to XSS(cross site scripting)https://docs.python.org/3/library/cgi.html```form = cgi.FieldStorage()print("<p>name:", form["name"].value)print("<p>addr:", form["addr"].value)```First result on google for "tutorial python cgi"is https://www.tutorialspoint.com/python/python_cgi_programming.htmAnd it is almost the same as the python doc.I verified that setting ```name=<script>alert(document.domain)</script>```will trigger dialog, demonstrating javascript is executedon the cgi host.I would expect that devs who read the docs or tutorials will writevulnerable cgis.

Tag

#google