Cybersecurity researchers give details of Pinduoduo app malware
Add BT as a preferred source
DeeperDive is a beta AI feature. Refer to full articles for the facts.
SECURITY researchers at Moscow-based Kaspersky Lab have identified and outlined potential malware in versions of PDD Holdings’s Chinese shopping app Pinduoduo, days after Google suspended it from its Android app store.
In one of the first public accountings of the malicious code, Kaspersky laid out how the app could elevate its own privileges to undermine user privacy and data security. It tested versions of the app distributed through a local app store in China, where Huawei Technologies, Tencent Holdings and Xiaomi run some of the biggest app markets.
Kaspersky’s findings, shared with Bloomberg News, were among the clearest explanations from an independent security team for what triggered Google’s action and malware warning last week. The cybersecurity firm, which has played a role in uncovering some of the biggest cyberattacks in history, said it found evidence that earlier versions of Pinduoduo exploited system software vulnerabilities to install backdoors and gain unauthorised access to user data and notifications.
Those conclusions agreed in large part with those of researchers that had posted their discoveries online in past weeks, though Bloomberg News has not verified the authenticity of the earlier reports.
“Some versions of the Pinduoduo app contained malicious code, which exploited known Android vulnerabilities to escalate privileges, download and execute additional malicious modules, some of which also gained access to users’ notifications and files,” said Igor Golovin, a Kaspersky security researcher.
Google last week took the rare step of halting downloads of the app from one of China’s largest online retailers, urging users to uninstall Pinduoduo if they already have it on their device. That warning, visible to users with Google Mobile Services – which are unavailable in China – calls the app “harmful” and warns it can allow unauthorised access to a user’s data or device. The designation and warning were still in place as at Monday (Mar 27) in Hong Kong. PDD, which has rejected claims of its app containing malicious code, did not respond to requests for comment on Monday.
Navigate Asia in
a new global order
Get the insights delivered to your inbox.
The security incident may add fuel to already heated rhetoric in the US about data insecurity with Chinese apps. While Pinduoduo is largely used in China, PDD’s other app Temu – which sells everything from clothes to kitchen supplies – has been the most-downloaded app on Apple’s US app store for much of the past few months. It has not yet been the focus of lawmaker scrutiny the way that ByteDance’s TikTok has.
Kaspersky, which the US last year placed on a list of companies it deemed a threat to national security, said it did not discover the malicious versions of the Pinduoduo app but drew on earlier research by Chinese cybersecurity analysts.
PDD competes for market share in the hotly contested China e-commerce sector led by Alibaba Group Holding and JD.com. The upstart competitor, which carved out its own place in the domestic market by addressing underserved consumers, also has lofty ambitions for growth in North America through its Temu app. BLOOMBERG
Decoding Asia newsletter: your guide to navigating Asia in a new global order. Sign up here to get Decoding Asia newsletter. Delivered to your inbox. Free.
Share with us your feedback on BT's products and services
