Mar 20, 2023
Google Suspends Pinduoduo After Finding Malware in Versions
(Bloomberg) -- Google has suspended PDD Holdings Inc.’s main Chinese shopping app Pinduoduo after discovering malware in unsanctioned versions of the software, dealing a blow to one of the country’s biggest online retailers.
The Mountain View, California-based company said on Tuesday it is investigating the matter and suspended downloads of the Play Store version of Pinduoduo as a security precaution. Google didn’t mention Temu, PDD’s popular shopping app for the US, which remains available to download.
The action may cast a cloud over the company at a time when US lawmakers have accused Chinese-owned apps such as TikTok of potentially threatening national security. While Pinduoduo is largely used in China, it’s rare for Google to freeze downloads of a major app of its size and scale.
PDD shares rose 1.6% in early New York trading. The gains recoup some losses from Monday’s slide of more than 14%, the most in five months, following a report of sales that missed analyst estimates.
In a statement, PDD strongly rejected accusations that its app was “malicious,” calling Google’s statement “non-conclusive” and adding that the US company had suspended other apps apart from Pinduoduo at the same time. It didn’t identify those services.
“We strongly reject the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google,” the Chinese company said in an emailed statement. “There are several apps that have been suspended from Google Play at the same time and we find it peculiar that Bloomberg chose to single out Pinduoduo.”
Google warned users Tuesday to uninstall off-store versions of Pinduoduo. It’s unclear whether other local app stores run by Huawei Technologies Co., Xiaomi Corp. and Tencent Holdings Ltd. are looking into the allegations. PDD’s main shopping app serves more than 700 million mainly Chinese people monthly, and is more commonly downloaded via domestic platforms as Google’s isn’t available in the country. Spokespeople for Tencent, Huawei and Xiaomi also didn’t immediately respond to queries.
“Google Play Protect enforcement has been set to block installation attempts of these identified malicious apps,” a Google spokesperson said. “Users that have malicious versions of the app downloaded to their devices are warned and prompted to uninstall the app.”
Code from previous versions of the app on GitHub show malware present, said Shawn Chang, founder and chief executive officer of Hong Kong-based security firm HardenedVault, who’s aware of the industry talk but hasn’t examined the software in detail or spoken with PDD. Bloomberg News hasn’t verified the authenticity of the code on GitHub or posts written on the coding service.
“According to that publicly available information, PDD has used nday/0day exploits, targeting Android parcel serialization/deserialization to gain system privileges,” he said.
Read more: PDD Plunges After Disappointing Sales Join Price War Fears
What Bloomberg Intelligence Says:
PDD Holdings’ (formerly Pinduoduo) suspended namesake app — which Google removed from its store on malware allegations — raises the cybersecurity stakes it faces as it pushes beyond mainland China. Google’s recommendation for users to uninstall PDD’s apps risks stoking similar concerns about its overseas e-commerce app, Temu, which could prompt new customers to turn tail and abandon the platform.
- Catherine Lim and Trini Tan, analysts
Click here for the research.
The Chinese online retailer has in recent years taken market share from leaders Alibaba Group Holding Ltd. and JD.com Inc. while aggressively expanding in North America with Temu. Investors had previously pushed PDD shares to their highest in more than a year, identifying the eight-year-old company as a winner in the escalating battle to win over Chinese consumers.
PDD started out in 2015 with the aim of covering markets Alibaba and JD neglected, such as poorer rural cities. The company has since moved into pricier goods, covered more cities and launched a US app that’s surged in popularity in just a few months.
Much like fast-fashion upstart Shein, Temu is capturing US shoppers with bargains at a time most consumers are tightening their belts. Temu was the most downloaded app on Apple Inc.’s US app store for much of the past few months. It achieved about $500 million GMV in the US during its first five months of operation, according to data analytics firm YipitData. In January alone, sales were almost $200 million, the data show. Temu launched in Canada, its second market, in February.
--With assistance from Jane Zhang and Amy Thomson.
(Updates shares in fourth paragraph.)
©2023 Bloomberg L.P.