April 3 — A Chinese shopping app created with the help of an ex-Google employee, Pinduoduo gained marketplace traction quickly and seemed to have a smart digital strategy. The e-Commerce exchange offers steep discounts, an interface that looks more like a newsfeed than an e-Commerce site, and popular social media integration capabilities. More than 750 million people used the app every month.
However, recent concerns surrounding privacy and security have tarnished Pinduoduo’s reputation. Many apps now collect vast quantities of user data without explicit user permission, and while that infringement shouldn’t be ignored, Pinduoduo’s actions are next-level disquieting.
After a detailed investigation, cyber security researchers have confirmed that the Pinduoduo app can bypass users’ cell phone security to look at information stored in other apps. The Pinduoduo app can also read private text messages and change phone settings. And once installed, the app is difficult to remove.
In short, Pinduoduo uses malware to spy on users and competitors. Company insiders confirmed that the malware/spyware embedded in the app wasn’t there by accident.
According to Check Point researchers, the app managed to evade scrutiny via a series of mechanisms. For instance, the app deployed a method that allowed it to push updates without a formal app store review process, which is intended to detect malicious applications.
In addition, researchers identified plug-ins designed to obscure malicious app elements by hiding them under legitimate file names. “Such a technique is widely used by malware developers that inject malicious code into applications that have legitimate functionality,” said Check Point researchers.
Concerns regarding malware in Pinduoduo’s app were first brought to light in February of this year. While the original researchers chose not to name the app in a cyber security report, the research information spread, and other researchers eventually called out Pinduoduo.
Shortly thereafter, Pinduoduo issued a new update for its app, removing the exploits. Two days after the update, Pinduoduo disbanded the team of engineers and product managers responsible for developing the exploits.
Nonetheless, a core group of roughly 20 cyber security engineers who are expert in finding and exploiting vulnerabilities remain at Pinduoduo. And although the exploits and a few engineers were removed, the underlying malicious code is apparently still extant. Experts say that it could be reactivated.
For more on this emerging story, please click here. Want to stay up-to-date with trends in technology? Check out the CyberTalk.org newsletter! Sign up today to receive top-notch news articles, best practices and expert analyses; delivered straight to your inbox.