Introduction to Allegations Against Pinduoduo

Pinduoduo, a prominent Chinese shopping application boasting over 750 million monthly users, has come under intense scrutiny following revelations from cybersecurity researchers. The app, which facilitates the sale of a vast array of products, is now accused of containing sophisticated malware designed to circumvent mobile device security protocols. This alleged malicious software reportedly allowed the app to monitor activities across other applications, access notifications, read private messages, and alter device settings. Furthermore, once installed, the malware was reportedly difficult to remove.

While many applications collect user data, sometimes without explicit consent, experts suggest that Pinduoduo's actions represent a significant escalation in privacy and data security violations. A detailed investigation, which included interviews with multiple cybersecurity teams from Asia, Europe, and the United States, as well as current and former Pinduoduo employees, unearthed evidence of malware. This malware reportedly exploited vulnerabilities within Android operating systems. Insiders from the company claimed these exploits were utilized to surveil users and competitors, ostensibly to enhance sales performance.

"We haven't seen a mainstream app like this trying to escalate their privileges to gain access to things that they're not supposed to gain access to," stated Mikko Hyppönen, Chief Research Officer at WithSecure, a Finnish cybersecurity firm. "This is highly unusual, and it is pretty damning for Pinduoduo."

The term 'malware' refers to any software developed with the intent to steal data or disrupt computer systems and mobile devices. These findings emerge amidst heightened global scrutiny of Chinese-developed applications, such as TikTok, due to ongoing concerns regarding data security and potential links to the Chinese government. The revelations are also likely to impact perceptions of Temu, Pinduoduo's international sister app, which is rapidly gaining popularity in Western markets. Both applications are owned by PDD, a multinational company listed on Nasdaq, with its origins in China. While Temu has not been directly implicated in these specific allegations, the purported actions of Pinduoduo could cast a shadow over its global expansion efforts.

Lack of Direct Government Link, but Broader Concerns

Currently, there is no direct evidence indicating that Pinduoduo has shared user data with the Chinese government. However, the significant influence Beijing holds over businesses operating within its jurisdiction has led to concerns among U.S. lawmakers. They fear that any company based in China could be compelled to cooperate with a range of state security activities. These developments follow Google's decision in March to suspend Pinduoduo from its Play Store, citing identified malware in certain versions of the app. A subsequent report by Bloomberg also indicated that a Russian cybersecurity firm had detected potential malware within the application. Pinduoduo has previously refuted such claims, dismissing them as "speculation and accusation."

Pinduoduo's Ascent and Alleged Practices

Founded in Shanghai in 2015 by Colin Huang, a former Google employee, Pinduoduo initially vied for market share against established e-commerce giants like Alibaba and JD.com. The company achieved rapid growth by offering substantial discounts on group-buying orders and focusing on lower-income, rural demographics. Pinduoduo experienced triple-digit growth in monthly users until late 2018, the year it went public in New York. However, by mid-2020, the rate of increase in monthly users began to decline.

According to a current Pinduoduo employee, it was in 2020 that the company allegedly established a team of approximately 100 engineers and product managers. This team's purported objective was to identify vulnerabilities in Android phones, develop methods to exploit them, and subsequently leverage these exploits for financial gain. The anonymous source indicated that the company initially targeted users in rural areas and smaller towns, deliberately avoiding major metropolitan areas like Beijing and Shanghai to reduce the risk of exposure. By collecting extensive data on user activities, the company reportedly aimed to construct comprehensive profiles of user habits, interests, and preferences. This data, the source claimed, facilitated the enhancement of their machine learning models, enabling more personalized push notifications and advertisements, thereby encouraging app usage and purchases. The team was reportedly disbanded in early March after questions regarding their activities surfaced.

Expert Findings on Malware Capabilities

Cybersecurity researchers from Check Point Research (Tel Aviv), Oversecured (Delaware), and WithSecure independently analyzed version 6.49.0 of the Pinduoduo app, released on Chinese app stores in late February. (Google Play is not available in China, with Android users relying on local app stores). The researchers discovered code designed for "privilege escalation," a type of cyberattack that exploits vulnerabilities in an operating system to gain unauthorized, higher levels of data access. Hyppönen confirmed that their team reverse-engineered the code, verifying its attempts to escalate privileges and access functionalities typically restricted to normal Android applications.

The app reportedly possessed the ability to operate continuously in the background and resist uninstallation, which could artificially inflate its monthly active user statistics. Additionally, it was said to be capable of monitoring competitors by tracking activity on other shopping applications and extracting information from them. Check Point Research also identified methods the app used to evade scrutiny, including pushing updates without undergoing the standard app store review process designed to detect malicious applications. The researchers also noted instances where potentially malicious components were obscured by being hidden under legitimate-sounding file names, such as those associated with Google.

Sergey Toshin, founder of Oversecured, characterized Pinduoduo's malware as "the most dangerous malware" ever encountered in mainstream applications. He noted its specific targeting of various Android-based operating systems, including those used by Samsung, Huawei, Xiaomi, and Oppo. Toshin's analysis revealed that Pinduoduo exploited approximately 50 Android system vulnerabilities, with many tailored for customized parts known as original equipment manufacturer (OEM) code. OEM code is often less frequently audited than the Android Open Source Project (AOSP), making it more susceptible to vulnerabilities. Pinduoduo also exploited several AOSP vulnerabilities, including one reported by Toshin to Google in February 2022, which Google subsequently patched in March.

According to Toshin, these exploits enabled Pinduoduo to access users' locations, contacts, calendars, notifications, and photo albums without consent. They could also modify system settings and access users' social network accounts and chats. Other cybersecurity firms, while not conducting full examinations, observed that Pinduoduo requested an unusually high number of permissions for a shopping app, including "potentially invasive permissions" like "set wallpaper" and "download without notification," as noted by René Mayrhofer, head of the Institute of Networks and Security at the Johannes Kepler University Linz.

Team Disbandment and Regulatory Implications

Initial suspicions regarding malware in Pinduoduo's app emerged in late February through a report by Chinese cybersecurity firm Dark Navy. Although the report did not explicitly name Pinduoduo, its findings quickly circulated among other researchers who subsequently identified the company. Following these reports, Pinduoduo released an update, version 6.50.0, on March 5, which reportedly removed the exploits. Two days later, the team of engineers and product managers allegedly responsible for developing the exploits was disbanded. Team members reportedly lost access to internal communication tools and company files. Most were transferred to Temu, Pinduoduo's sister app, where they were assigned to various departments, including marketing and push notification development. However, a core group of approximately 20 cybersecurity engineers specializing in vulnerability research reportedly remained at Pinduoduo. Toshin of Oversecured, who examined the updated app, cautioned that while the exploits were removed, the underlying code remained, suggesting the potential for reactivation.

These allegations raise questions about regulatory oversight in China. The Chinese government initiated a crackdown on tech companies for illegal data collection and usage in late 2020, and in 2021, enacted its first comprehensive data privacy legislation, the Personal Information Protection Law. This law prohibits the illegal collection, processing, or transmission of personal information and forbids exploiting security vulnerabilities. Experts suggest that Pinduoduo's alleged malware would constitute a violation of these laws, implying a potential oversight failure by regulators. Kendra Schaefer, a tech policy expert at Trivium China, remarked that such a situation would be "embarrassing for the Ministry of Industry and Information Technology, because this is their job."

Source: Hundreds of millions at risk from Chinese shopping app malware