Hundreds of millions at risk from Chinese shopping app malware

But according to cybersecurity researchers, it can also bypass users’ cell phone security to monitor activities on other apps, check notifications, read private messages and change settings. And once installed, it’s tough to remove. While many apps collect vast troves of user data, sometimes without explicit consent, experts say e-commerce giant Pinduoduohas taken violations of privacy and data security to the next level. In a detailed investigation, CNN spoke to half a dozen cybersecurity teams from Asia, Europe and the United States — as well as multiple former and current Pinduoduo employees — after receiving a tipoff. Multiple experts identified the presence of malware on the Pinduoduo app that exploited vulnerabilities in Android operating systems. Company insiders said the exploits were utilized to spy on users and competitors, allegedly to boost sales. “We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to,” said Mikko Hyppönen, chief research officer at WithSecure, a Finnish cybersecurity firm. “This is highly unusual, and it is pretty damning for Pinduoduo.” Malware, short for malicious software, refers to any software developed to steal data or interfere with computer systems and mobile devices. Evidence of sophisticated malware in the Pinduoduo app comes amid intense scrutiny of Chinese-developed apps like TikTok over concerns about data security. Some American lawmakers are pushing for anational banon the popular short-video app, whose CEO Shou Chewwas grilledby Congress for five hours last week about its relations with the Chinese government. The revelations are also likely to draw more attention to Pinduoduo’s international sister app, Temu, which istopping US download chartsand fast expanding in other Western markets. Both are owned by Nasdaq-listed PDD, a multinational company with roots in China. While Temu has not been implicated, Pinduoduo’s alleged actions risk casting a shadow over its sister app’s global expansion. There is no evidence that Pinduoduo has handed data to the Chinese government. But as Beijing enjoys significant leverage over businesses under its jurisdiction,there are concernsfrom US lawmakers that any company operating in China could be forced to cooperate with a broad range of security activities. Pinduoduo’s parent company PDD is listed on the Nasdaq in New York.Mike Segar/Reuters/File Pinduoduo’s parent company PDD is listed on the Nasdaq in New York.Mike Segar/Reuters/File Pinduoduo’s parent company PDD is listed on the Nasdaq in New York. The findings followGoogle’s suspensionof Pinduoduo from its Play Store in March, citing malware identified in versions of the app. Anensuing reportfrom Bloomberg said a Russian cybersecurity firm had also identified potential malware in the app. Pinduoduo haspreviously rejected“the speculation and accusation that Pinduoduo app is malicious.” Pinduoduo, which boasts a user base that accounts for three quarters of China’s online population anda market value three times that of eBay(EBAY), wasn’t always an online shopping behemoth. Founded in 2015 in Shanghai byColin Huang, a former Google employee, the startup was fighting to establish itself in a market long dominated by e-commerce stalwarts Alibaba(BABA)and JD.com(JD). It succeeded by offering steep discounts on friends-and-family group buying orders and focusing on lower-income rural areas. Pinduoduo posted triple digitgrowthin monthly users until the end of 2018, the yearit listedin New York. By the middle of 2020, though, the increase in monthly users had slowed to around 50% and would continue to decline, according to itsearnings reports. Colin Huang, a former Google employee, founded Pinduoduo in 2015 in Shanghai. He stepped down as CEO in 2020 and resigned as chairman the following year.VCG/VCG/Getty Images/File Colin Huang, a former Google employee, founded Pinduoduo in 2015 in Shanghai. He stepped down as CEO in 2020 and resigned as chairman the following year.VCG/VCG/Getty Images/File Colin Huang, a former Google employee, founded Pinduoduo in 2015 in Shanghai. He stepped down as CEO in 2020 and resigned as chairman the following year. It was in 2020, according to a current Pinduoduo employee, that the company set up a team of about 100 engineers and product managers to dig for vulnerabilities in Android phones, develop ways to exploit them — and turn that into profit. According to the source, who requested anonymity for fear of reprisals, the company only targeted users in rural areas and smaller towns initially, while avoiding users in megacities such as Beijing and Shanghai. “The goal was to reduce the risk of being exposed,” they said. By collecting expansive data on user activities, the company was able to create a comprehensive portrait of users’ habits, interests and preferences, according to the source. The team was disbanded in early March, the source added, after questions about their activities came to light. Approached by CNN, researchers from Tel Aviv-based cyber firm Check Point Research, Delaware-based app security startup Oversecured and Hyppönen’s WithSecure conducted independent analysis of the 6.49.0 version of the app, released on Chinese app stores in late February. Google Play is not available in China, and Android users in the country download their apps from local stores. In March, when Google suspended Pinduoduo, it said it had found malware in off-Play versions of the app. The researchers found code designed to achieve “privilege escalation”: a type of cyberattack that exploits a vulnerable operating system to gain a higher level of access to data than it’s supposed to have, according to experts. “Our team has reverse engineered that code and we can confirm that it tries to escalate rights, tries to gain access to things normal apps wouldn’t be able to do on Android phones,” said Hyppönen. In China, about three quarters of smartphone users are on the Android system.Luo Yunfei/China News Service/VCG/Getty Images In China, about three quarters of smartphone users are on the Android system.Luo Yunfei/China News Service/VCG/Getty Images In China, about three quarters of smartphone users are on the Android system. The app was able to continue running in the background and prevent itself from being uninstalled, which allowed it to boost its monthly active user rates, Hyppönen said. It also had the ability to spy on competitors by tracking activity on other shopping apps and getting information from them, he added. Check Point Research additionally identified ways in which the app was able to evade scrutiny. The app deployed a method that allowed it to push updates without an app store review process meant to detect malicious applications, the researchers said. They also identified in some plug-ins the intent to obscure potentially malicious components by hiding them under legitimate file names, such as Google’s. “Such a technique is widely used by malware developers that inject malicious code into applications that have legitimate functionality,” they said. In China, about three quarters of smartphone users are on theAndroid system. Apple(AAPL)’s iPhone has 25% market share, according to Daniel Ives of Wedbush Securities. Sergey Toshin, the founder of Oversecured, said Pinduoduo’s malware specifically targeted different Android-based operating systems, including those used by Samsung, Huawei, Xiaomi and Oppo. Toshin described Pinduoduo as “the most dangerous malware” ever found among mainstream apps. “I’ve never seen anything like this before. It’s like, super expansive,” he said. Most phone manufacturers globally customize the core Android software, the Android Open Source Project (AOSP), to add unique features and applications to their own devices. Toshin found Pinduoduo to have exploited about 50 Android system vulnerabilities. Most of the exploits were tailor made for customized parts known as the…