Chinese shopping app accused of spying and exploiting Android

2023-04-03

Chinese shopping app accused of spying and exploiting Android

China's popular shopping app, Pinduoduo, has been accused of exploiting Android vulnerabilities to spy on users and rivals. According to cybersecurity experts, Pinduoduo's malware could monitor user activities on other apps, read private messages, and even change settings of users' phones. While many apps collect data without users' explicit consent, Pinduoduo went beyond violating people's privacy and data security.

Several teams of cybersecurity researchers from various parts of the world identified the presence of malware on Pinduoduo's app that exploited multiple vulnerabilities in Android operating systems. Some of the exploits were tailor-made for customized parts called original equipment manufacturer (OEM) code, which tend to be audited less often than the core Android software, the Android Open Source Project (AOSP). Pinduoduo also exploited some AOSP vulnerabilities, including one that was flagged by Android security expert Sergey Toshin to Google in February 2022, which was fixed by Google in March of the same year. Pinduoduo exploited about 50 Android system vulnerabilities, allowing it access to users’ locations, contacts, calendars, notifications, and photo albums without their consent. They could also change system settings and access users’ social network accounts and chats.

Concerns about Pinduoduo's apparent malware were first raised in late February 2023 in a report by a Chinese cybersecurity firm called Dark Navy. The report quickly spread among other researchers, who confirmed the original findings. Soon after, Pinduoduo issued an app update, v6.50.0, on March 5, 2023, which removed the exploits, according to two experts. However, the underlying code was still present and could reactivate to carry out attacks.

The accusations against Pinduoduo are set against the backdrop of the Chinese government's recent regulatory clampdown on Big Tech companies that began in late 2020. The Ministry of Industry and Information Technology launched a sweeping crackdown on apps that illegally collect and use personal data, and in 2021, Beijing passed its first comprehensive data privacy legislation, the Personal Information Protection Law. Pinduoduo's apparent malware would violate those laws, according to tech policy experts, and should have been detected by the regulator.

The Chinese regulatory body responsible for enforcing laws and regulations related to technology and communication industries is the Ministry of Industry and Information Technology. The ministry has been publishing lists of apps that have undermined user privacy or other rights, as well as apps that fail to comply with regulations. Pinduoduo was not named on any of the lists, which raises questions about the regulator's competence. Some cybersecurity experts have taken to Chinese social media, questioning why the regulators haven’t taken any actions and expressed concerns about the lack of technical expertise of regulators in identifying such malicious activity.

The investigation by CNN revealed that Pinduoduo's engineering team targeted users in rural areas and smaller towns initially, while avoiding users in megacities such as Beijing and Shanghai, to reduce the risk of being exposed. By collecting expansive data on user activities, Pinduoduo was able to create a comprehensive portrait of users’ habits, interests, and preferences, which allowed it to improve its machine learning model to offer more personalized push notifications and ads, attracting users to open the app and place orders.

In conclusion, Pinduoduo's apparent malware violates user privacy, data security, and Chinese laws and regulations. While the company has denied the accusations, several cybersecurity experts have confirmed that it developed exploits to spy on users and competitors, allegedly to boost sales. The Chinese Government has set strict data privacy and cybersecurity regulations that prevent companies from exploiting vulnerabilities and endangering users' data. However, the lack of technical expertise and regulatory actions raises doubts about China's ability to enforce its laws and protect its citizens.

RFQ BOM Call Skype Email
Top