According to security researchers at Lookout, Pinduoduo has been involved in a complex malware attack through its application, enabling it to covertly commandeer millions of user devices, pilfer personal information, and deploy malicious software.
The Pinduoduo app’s harmful versions were discovered in unofficial app markets, which are commonly used by Chinese and international users who cannot access or find the official Google Play store. These malicious versions were not found on Google Play or the Apple App Store.
Lookout researchers discovered that at least two Android versions of Pinduoduo obtained from unofficial sources exploited CVE-2023-20963, a security flaw in Android that Google patched in recent updates made available to users two weeks ago.
The harmful software utilized by the application to conduct operations with elevated privileges utilized these privileges to get code from a designated developer site and execute it within a privileged environment. The malware was discovered by researchers after being reported last month by a research service named Dark Navy.
The report noted that the app included a “bundle feng shui-Android parcel serialization and deserialization [exploit] that appears to be unknown in recent years”. Subsequently, other individuals have shared evidence of the malware, including a user who gave researchers code and instructions to locate the alleged exploit.
Upon investigation, Lookout researchers identified that the application featured a capability that enabled it to be installed secretly and could not be uninstalled. Furthermore, it falsely raised the number of daily and monthly active users on Pinduoduo, uninstalled rival applications, took users’ privacy data, and circumvented various privacy compliance rules.
PDD Holdings, Pinduoduo’s parent company, denied the claims, stating that it “strongly reject[s] the speculation and accusation that the Pinduoduo app is malicious from an anonymous researcher”. Lookout researchers disagree, and added that a more thorough review will likely find more exploits in the app.
The sources for this piece include an article in ArsTechnica.