Application Security , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks
Chinese E-Commerce Giant Pinduoduo Allegedly Spies on Users
Popular Budget App Was Suspended From Play Store in MarchDays after Google suspended the popular budget e-commerce application Pinduoduo from its Play Store, researchers are alleging that the Chinese app can bypass phones' security and monitor activities of other apps, including accessing private messages and changing settings.
See Also: The DevSecGuide to Kubernetes
The app was suspended from Play Store for malware presence on the versions of the Chinese app downloadable from other online stores in March. The app, which is impossible to remove once installed, collects user data without consent, according to a report from CNN.
"E-commerce giant Pinduoduo has taken violations of privacy and data security to the next level," CNN reported, citing multiple cybersecurity experts from Asia, Europe and the United States.
A spokesperson for Pinduoduo did not immediately respond to Information Security Media Group's request for comment.
Pinduoduo parent company PDD Holdings recently announced its fourth-quarter revenue of $5.79 billion, a figure below expectations. The company said it has 800 million monthly active users across the globe. Google's suspension did not appear to affect Temu, Pinduoduo's app for the U.S. market.
Mikko Hyppönen, chief research officer at Finnish cybersecurity firm WithSecure, told CNN that he has not before seen "a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to."
"The methods used by the Pinduoduo app in China are highly unusual," Hyppönen said in a tweet. "There are a couple of scenarios of what might have happened here, and all of them are bad: Pinduoduo is hacked, Pinduoduo has a malicious insider, Pinduoduo lost their signing key, Pinduoduo hacked their own users.
TechCrunch also reported that multiple Chinese security researchers had flagged malicious code designed to monitor users within Pinduoduo versions.