Pinduoduo & Temu; Let’s Go Shopping

11021568859?profile=RESIZE_400xIt is one of China’s most popular shopping apps, selling clothing, groceries and just about everything else under the sun to more than 750 million users a month.  But according to cybersecurity researchers, it can also bypass users’ cell phone security to monitor activities on other apps, check notifications, read private messages and change settings.  And once installed, it’s tough to remove.

While many apps collect vast troves of user data, sometimes without explicit consent, experts say e-commerce giant Pinduoduo has taken violations of privacy and data security to the next level.[1]

In a detailed media investigation, half a dozen cybersecurity teams from Asia, Europe and the United States were interviewed, as well as multiple former and current Pinduoduo employees, after receiving a tip.  Multiple experts identified the presence of malware on the Pinduoduo app that exploited vulnerabilities in Android operating systems.  Company insiders said the exploits were utilized to spy on users and competitors, allegedly to boost sales.  “We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to,” said the chief research officer at WithSecure, a Finnish cybersecurity firm.  “This is highly unusual, and it is pretty damning for Pinduoduo.”

Evidence of sophisticated malware in the Pinduoduo app comes at a time when intense scrutiny of Chinese-developed apps like TikTok are being debated over data security concerns.  Some US lawmakers are pushing for a national ban on the TikTok app, whose US CEO was grilled by US Congress for five hours last week about its relations with the Chinese government.  These current  revelations are also likely to draw more attention to Pinduoduo’s international sister app, Temu, which is topping US download charts and fast expanding in other Western markets.  Both are owned by Nasdaq-listed PDD, a multinational company with roots in China.  While Temu has not been directly implicated, Pinduoduo’s alleged actions risk casting a shadow over its sister app’s global expansion.

11021568684?profile=RESIZE_400xThere is no evidence that Pinduoduo has handed data to the Chinese government, but it is common knowledge in the intelligence community that all business in China is controlled by it’s the China Communist Party (CCP).  As Beijing enjoys significant leverage over businesses under its jurisdiction, there are concerns from US lawmakers that any company operating in China could be forced to cooperate with a broad range of security activities.

The findings follow Google’s suspension of Pinduoduo from its Play Store in March, citing malware identified in versions of the app.  An ensuing report from Bloomberg said a Russian cybersecurity firm had also identified potential malware in the app.  Pinduoduo has previously rejected “the speculation and accusation that Pinduoduo app is malicious.”  PDD has not issued any statements regarding these allegations. 

Pinduoduo, which boasts a user base that accounts for three quarters of China’s online population and a market value three times that of eBay (EBAY), was not always an online shopping behemoth.   Founded in 2015 in Shanghai by Colin Huang, a former Google employee, the startup was fighting to establish itself in a market long dominated by e-commerce stalwarts Alibaba (BABA) and (JD).  It succeeded by offering steep discounts on friends-and-family group buying orders and focusing on lower-income rural areas.  Pinduoduo posted triple digit growth in monthly users until the end of 2018, the year it listed in New York.  By the middle of 2020, though, the increase in monthly users had slowed to around 50% and would continue to decline, according to its earnings reports.

It was in 2020, according to a current Pinduoduo employee, that the company set up a team of about 100 engineers and product managers to dig for vulnerabilities in Android phones, develop ways to exploit them — and turn that into profit.  According to the source, who requested anonymity for fear of reprisals, the company only targeted users in rural areas and smaller towns initially, while avoiding users in megacities such as Beijing and Shanghai.  “The goal was to reduce the risk of being exposed,” they said.

By collecting expansive data on user activities, the company was able to create a comprehensive portrait of users’ habits, interests and preferences, according to the source.  This allowed it to improve its machine learning model to offer more personalized push notifications and ads, attracting users to open the app and place orders, they said.  The team was disbanded in early March, the source added, after questions about their activities came to light.  PDD is not confirming or denying these practices. 

The Investigation - Researchers from Tel Aviv-based cyber firm Check Point Research, Delaware-based app security startup Oversecured and Hyppönen’s WithSecure conducted independent analysis of the 6.49.0 version of the app, released on Chinese app stores in late February.  Google Play is not available in China, and Android users in the country download their apps from local stores.  In March, when Google suspended Pinduoduo, it said it had found malware in off-Play versions of the app.  The researchers found code designed to achieve “privilege escalation”: a type of cyberattack that exploits a vulnerable operating system to gain a higher level of access to data than it’s supposed to have, according to experts.  “Our team has reverse engineered that code and we can confirm that it tries to escalate rights, tries to gain access to things normal apps wouldn’t be able to do on Android phones,” said Hyppönen.  The app was able to continue running in the background and prevent itself from being uninstalled, which allowed it to boost its monthly active user rates, Hyppönen said.  It also had the ability to spy on competitors by tracking activity on other shopping apps and getting information from them, he added.  Check Point Research additionally identified ways in which the app was able to evade scrutiny.  On a side note, Check Point, was taken down by a group of hackers calling themselves "Anonymous Sudan" on 4 April.[2]  In many researcher’s opinion

The app deploys a method that allowed it to push updates without an app store review process meant to detect malicious applications, the researchers said.  They also identified in some plug-ins the intent to obscure potentially malicious components by hiding them under legitimate file names, such as Google’s.  “Such a technique is widely used by malware developers that inject malicious code into applications that have legitimate functionality,” they said.

Android is the main targeted of this scheme.  In China, about three quarters of smartphone users are on the Android system.  Apple (AAPL)’s iPhone has 25% market share, according to Daniel Ives of Wedbush Securities.

Oversecured said Pinduoduo’s malware specifically targeted different Android-based operating systems, including those used by Samsung, Huawei, Xiaomi and Oppo.  It described Pinduoduo as “the most dangerous malware” ever found among mainstream apps.  “I’ve never seen anything like this before. It’s like, super expansive,” he said.

Most phone manufacturers globally customize the core Android software, the Android Open Source Project (AOSP), to add unique features and applications to their own devices.  Oversecured found Pinduoduo to have exploited about 50 Android system vulnerabilities.  Most of the exploits were tailor made for customized parts known as the original equipment manufacturer (OEM) code, which tends to be audited less often than AOSP and is therefore more prone to vulnerabilities, he said.  Pinduoduo also exploited a number of AOSP vulnerabilities, including one which was flagged by Oversecured to Google in February 2022.  Google fixed the bug this March, he said.

The exploits allowed Pinduoduo access to users’ locations, contacts, calendars, notifications and photo albums without their consent.  They were also able to change system settings and access users’ social network accounts and chats, he said.  Of the six teams CNN spoke to for this story, three did not conduct full examinations.  But their primary reviews showed that Pinduoduo asked for a large number of permissions beyond the normal functions of a shopping app.  They included “potentially invasive permissions” such as “set wallpaper” and “download without notification,” said the head of the Institute of Networks and Security at the Johannes Kepler University Linz in Austria.

Suspicions about malware in Pinduoduo’s app were first raised in late February in a report by a Chinese cybersecurity firm called Dark Navy.  Even though the analysis did not directly name the shopping giant, the report spread quickly among other researchers, who did name the company.  Some of the analysts followed up with their own reports confirming the original findings.  In early March, Pinduoduo issued a new update of its app, version 6.50.0, which removed the exploits, according to two experts.  Two days after the update, Pinduoduo disbanded the team of engineers and product managers who had developed the exploits, according to the Pinduoduo source.  The next day, team members found themselves locked out of Pinduoduo’s bespoke workplace communication app, Knock, and lost access to files on the company’s internal network.  Engineers also found their access to big data, data sheets and the log system revoked, the source said.

Most of this team was transferred to work at Temu.  They were assigned to different departments at the subsidiary, with some working on marketing or developing push notifications, according to the source.  A core group of about 20 cybersecurity engineers who specialize in finding and exploiting vulnerabilities remain at Pinduoduo. 

Oversecured said although the exploits were removed, the underlying code was still there and could be reactivated to carry out attacks.

Pinduoduo has been able to grow its user base against a backdrop of the Chinese government’s regulatory clampdown on Big Tech that began in late 2020.  2020 saw the CCP Ministry of Industry and Information Technology launched a sweeping crackdown on apps that illegally collect and use personal data.  In 2021, Beijing passed its first comprehensive data privacy legislation.  The Personal Information Protection Law stipulates that no party should illegally collect, process or transmit personal information. They are also banned from exploiting internet-related security vulnerabilities or engaging in actions that endanger cybersecurity.

Pinduoduo’s apparent malware would be a violation of those laws, tech policy experts say, and should have been detected by the regulator.  “This would be embarrassing for the Ministry of Industry and Information Technology, because this is their job,” said Trivium China, a tech consultancy.  “They’re supposed to check Pinduoduo, and the fact that they didn’t find (anything) is embarrassing for the regulator.”  The ministry regularly publishes lists to name and shame apps found to have undermined user privacy or other rights.  It also publishes a separate list of apps that are removed from app stores for failing to comply with regulations.  Pinduoduo did not appear on any of the lists.  “They are supposed to check Pinduoduo, and the fact that they didn’t find (anything) is embarrassing for the regulator,” said Trivium.  On Chinese social media, some cybersecurity experts questioned why regulators haven’t taken any action.  “Probably none of our regulators can understand coding and programming, nor do they understand technology. You cannot even understand the malicious code when it’s shoved right in front of your face,” a cybersecurity expert with 1.8 million followers wrote last week in a viral post on Weibo, a Twitter-like platform.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or            

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/
    •       Website:        https://www. wapacklabs. com/
    •       LinkedIn:       https://www. linkedin. com/company/64265941    

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!