Popular shopping app spying on Android users with ‘most dangerous malware’

It is one of China’s most popular shopping apps, selling clothing, groceries and just about everything else under the sun to more than 750 million users a month.

But according to cybersecurity researchers, it can also bypass users’ mobile phone security to monitor activities on other apps, check notifications, read private messages and change settings.

And once installed, it’s tough to remove.

Watch the latest News on Channel 7 or stream for free on 7plus >>

While many apps collect vast troves of user data, sometimes without explicit consent, experts say e-commerce giant Pinduoduo has taken violations of privacy and data security to the next level.

In a detailed investigation, CNN spoke to half a dozen cybersecurity teams from Asia, Europe and the United States — as well as multiple former and current Pinduoduo employees — after receiving a tip off.

Multiple experts identified the presence of malware on the Pinduoduo app that exploited vulnerabilities in Android operating systems. Company insiders said the exploits were utilised to spy on users and comPetitors, allegedly to boost sales.

“We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to,” Finnish cybersecurity firm WithSecure chief research officer Mikko Hyppönen said.

“This is highly unusual, and it is pretty damning for Pinduoduo.”

Malware, short for malicious software, refers to any software developed to steal data or interfere with computer systems and mobile devices.

Other apps under scrutiny

Evidence of sophisticated malware in the Pinduoduo app comes amid intense scrutiny of Chinese-developed apps such as TikTok over concerns about data security.

Some American lawmakers are pushing for a national ban on the popular short-video app, whose CEO Shou Chew was grilled by Congress for five hours last week about its relations with the Chinese government.

The revelations are also likely to draw more attention to Pinduoduo’s international sister app, Temu, which is topping US download charts and fast expanding in other Western markets. Both are owned by Nasdaq-listed PDD, a multinational company with roots in China.

While Temu has not been implicated, Pinduoduo’s alleged actions risk casting a shadow over its sister app’s global expansion.

There is no evidence that Pinduoduo has handed data to the Chinese government. But as Beijing enjoys significant leverage over Businesses under its jurisdiction, there are concerns from US lawmakers that any company operating in China could be forced to co-operate with a broad range of security activities.

The findings follow Google’s suspension of Pinduoduo from its Play Store in March, citing malware identified in versions of the app.

An ensuing report from Bloomberg said a Russian cybersecurity firm had also identified potential malware in the app.

Pinduoduo has previously rejected “the speculation and accusation that Pinduoduo app is malicious.”

CNN has contacted PDD multiple times over email and phone for comment, but has not received a response.

What experts found

Approached by CNN, researchers from Tel Aviv-based cyber firm Check Point Research, Delaware-based app security startup Oversecured and Hyppönen’s WithSecure conducted independent analysis of the 6.49.0 version of the app, released on Chinese app stores in late February.

Google Play is not available in China, and Android users in the country download their apps from local stores. In March, when Google suspended Pinduoduo, it said it had found malware in off-Play versions of the app.

The researchers found code designed to achieve “privilege escalation”: a type of cyberattack that exploits a vulnerable operating system to gain a higher level of access to data than it’s supposed to have, according to experts.

“Our team has reverse engineered that code and we can confirm that it tries to escalate rights, tries to gain access to things normal apps wouldn’t be able to do on Android phones,” said Hyppönen.