Mar 27, 2023
Pinduoduo App Malware Detailed by Cybersecurity Researchers
(Bloomberg) -- Security researchers at Moscow-based Kaspersky Lab have identified and outlined potential malware in versions of PDD Holdings Inc.’s Chinese shopping app Pinduoduo, days after Google suspended it from its Android app store.
In one of the first public accountings of the malicious code, Kaspersky laid out how the app could elevate its own privileges to undermine user privacy and data security. It tested versions of the app distributed through a local app store in China, where Huawei Technologies Co., Tencent Holdings Ltd. and Xiaomi Corp. run some of the biggest app markets.
Kaspersky’s findings, shared with Bloomberg News, were among the clearest explanations from an independent security team for what triggered Google’s action and malware warning last week. The cybersecurity firm, which has played a role in uncovering some of the biggest cyberattacks in history, said it found evidence that earlier versions of Pinduoduo exploited system software vulnerabilities to install backdoors and gain unauthorized access to user data and notifications.
Those conclusions agreed in large part with those of researchers that had posted their discoveries online in past weeks, though Bloomberg News hasn’t verified the authenticity of the earlier reports.
“Some versions of the Pinduoduo app contained malicious code, which exploited known Android vulnerabilities to escalate privileges, download and execute additional malicious modules, some of which also gained access to users’ notifications and files,” said Igor Golovin, a Kaspersky security researcher.
Google last week took the rare step of halting downloads of the app from one of China’s largest online retailers, urging users to uninstall Pinduoduo if they already have it on their device. That warning, visible to users with Google Mobile Services — which are unavailable in China — calls the app “harmful” and warns it can allow unauthorized access to a user’s data or device. The designation and warning were still in place as of Monday in Hong Kong. PDD, which has rejected claims of its app containing malicious code, didn’t respond to requests for comment on Monday.
Read more: Google Halts PDD App After Finding Malware in Some Versions
The security incident may add fuel to already heated rhetoric in the US about data insecurity with Chinese apps. While Pinduoduo is largely used in China, PDD’s other app Temu — which sells everything from clothes to kitchen supplies — has been the most-downloaded app on Apple Inc.’s US app store for much of the past few months. It has not yet been the focus of lawmaker scrutiny the way that ByteDance Ltd.’s TikTok has.
Kaspersky, which the US last year placed on a list of companies it deemed a threat to national security, said it did not discover the malicious versions of the Pinduoduo app but drew on earlier research by Chinese cybersecurity analysts.
Read more: ByteDance’s Next Stop for TikTok Is US Courts as CEO Falls Flat
PDD competes for market share in the hotly contested China e-commerce sector led by Alibaba Group Holding Ltd. and JD.com Inc. The upstart competitor, which carved out its own place in the domestic market by addressing underserved consumers, also has lofty ambitions for growth in North America through its Temu app.
©2023 Bloomberg L.P.