…
Pinduoduo — According to cybersecurity experts, Pinduoduo, one of China’s most popular shopping applications, could well monitor users.
The software may be able to bypass mobile phone security in order to spy on other programs on the device.
In addition, the app can monitor notifications, change settings, and access private chats.
The app is tricky to uninstall.
The investigation
Pinduoduo pushes the frontiers of data security and privacy.
Several systems collect large amounts of user data without their awareness or consent, but Pinduoduo takes it to a whole new level.
Cybersecurity teams from Asia, Europe, and the United States, as well as past and current Pinduoduo personnel, uncovered the flaw.
Several researchers detected malware on the app that can attack vulnerabilities in the Android operating system.
Insiders claim that the vulnerabilities were used to increase sales by targeting customers and competition.
Mikko Hyppönen, WithSecure’s chief research officer in Finland, said:
“We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to.”
“This is highly unusual, and it is pretty damning for Pinduoduo.”
TikTok & security concerns
The uncovering of malware in Pinduoduo comes at a critical juncture for TikTok and data security.
The revelations are intended to raise awareness of Temu, the scam’s sister that is currently sweeping the United States.
Pinduoduo’s claimed behavior may have an influence on the growth of its sibling app, despite the fact that Temu has not been addressed.
So yet, no evidence of Pinduoduo sending data to the Chinese government has been discovered.
Yet, US politicians have raised concern that Chinese firms will be obliged to comply with security procedures.
Initial suspension
Pinduoduo was withdrawn from the Google Play Store in March after malware was discovered in prior versions of the app.
According to Bloomberg, a Russian cybersecurity firm found suspected malware.
Originally, the company refuted the charges and expressed worries about the safety of the program.
Rise of an empire
While Pinduoduo is now well-known for its online shopping, the firm had humble beginnings.
It was founded in 2015 in Shanghai by Colin Huang, a former Google employee.
The app began as an underdog in a world dominated by Alibaba and JD.com.
Pinduoduo grew in popularity by giving steep discounts, encouraging group purchases from friends and relatives, and focused on low-income rural areas.
According to financial statistics, the company thrived until the middle of 2020, when monthly customers dropped below 50%, continuing a decreasing trend.
By 2020, the company will have a workforce of 100 engineers and product managers searching for flaws and vulnerabilities in Android phones to exploit.
According to one claimed employee, the company only targeted people in tiny towns and villages, ignoring large cities like Beijing and Shanghai.
“The goal was to reduce the risk of being exposed,” they explained.
The organization was able to generate a picture of consumers’ actions and interests using user activity data.
According to the insider, the data also assisted the corporation in improving its machine-learning model, allowing it to give more personalized notifications and adverts.
The organization was terminated in early March due to concerns about its activities.
Read also: Credit Suisse Emergency Loan Instills Banking Fears
Findings
Researchers from Check Point Research, Oversecured, and WithSecure separately assessed the app’s 6.49.0 version.
Pinduoduo was shut down by Google in March, alleging malware detection in off-Play versions as the reason.
The researchers identified privilege escalation malware, which targets vulnerable operating systems to get unauthorized data access.
“Our team has reverse engineered that code and we can confirm that it tries to escalate rights, tries to gain access to things normal apps wouldn’t be able to do on Android phones,” said Hyppönen.
According to the corporation, the application may run in the background and prevent itself from being deleted, hence raising monthly active user rates.
Pinduoduo may spy on rivals by seeing and collecting data on their behaviors.
Check Point Research uncovered a way to prevent malware detection.
It utilized a mechanism to submit updates without being subjected to app store reviews, which are generally used to detect malicious software.
Many plug-ins hid very dangerous technology under legitimate file names.
“Such a technique is widely used by malware developers that inject malicious code into applications that have legitimate functionality,” said experts.
Targeting Android
The Android operating system is used by three-quarters of Chinese smartphone users, while Apple iPhones account for 25% of the market.
According to Oversecured inventor Sergey Toshin, Punduoduo’s virus targets Android-based operating systems, notably Samsung, Huawei, Xiaomi, and Oppo.
According to Toshin, the app is a mainstream entity with the most deadly malware.
“I’ve never seen anything like this before,” he said. “It’s like, super expansive.”
Toshin determined that the virus took use of more than 50 Android system vulnerabilities, each of which was designed for certain components.
Pinduoduo also exploited AOSP flaws, one of which he disclosed to Google in February 2022.
So far, it was fixed by Google in March of this year.
The vulnerability gave the app access to the following without the user’s knowledge:
- Calendars
- Contacts
- Locations
- Notifications
- Photo albums
The malware might also modify system settings, granting it access to users’ social media accounts and communications.
Law violation
The Chinese government’s Big Tech regulatory drive, which began in late 2020, has increased Pinduoduo’s user base.
By 2021, China will have passed its first comprehensive data privacy legislation, ensuring that no organization gathers, manages, or transmits personal information inappropriately.
“This would be embarrassing for the Ministry of Industry and Information Technology, because this is their job,” said Trivium China tech policy expert Kendra Schaefer.
“They’re supposed to check Pinduoduo, and the fact that they didn’t find (anything) is embarrassing for the regulator.”
Experts in cybersecurity questioned why the government was not aggressively working on it on Chinese social media.
“Probably none of our regulators can understand coding and programming, nor do they understand technology,” an expert wrote on Weibo.
“You can’t even understand the malicious code when it’s shoved right in front of your face.”
