An Android zero-day that exploited millions of devices via a Chinese ecommerce app was added Thursday to the catalog of known exploited vulnerabilities by the U.S. agency in charge of securing the nation’s cybersecurity and infrastructure.The U.S. Cybersecurity and Infrastructure Security Agency was responding to reports in the press about the zero-day vulnerability and confirmation from researchers on the vulnerability’s authenticity.About a week after Google removed Pinduoduo from its Play Store in late March, researchers at mobile security company Lookout confirmed for Ars Technica that the Pinduoduo app appeared to take control of devices, harvest data, and install other software, with…