Pinduoduo, a popular shopping app that offers low prices on everything from fresh produce to assorted retail products, has been suspended from the Google Play Store after traces of malware were found in the code of previous app versions.
The ban will not have much direct impact on the shopping app, since almost all of its users are in China and the Google Play Store is not used there. Local substitutes for Android users like Tencent MyApp and Huawei AppGallery may feel pressure to also delist the shopping app, however, given that malware targeting core system privileges was found.
Pinduoduo shopping app appeared to use zero-day exploits
Initially created as a retail site in 2015, the shopping app has rocketed in popularity in recent years as it switched focus to become a third-party platform that matched farmers offering fresh produce with customers. The Covid-19 pandemic restrictions provided it with an opportunity for massive growth, as it became an alternate sales outlet for farmers that suddenly had lots of produce they could not bring to market, and the scope of items offered has since expanded.
However, the shopping app had already been mired in controversy prior to this incident. It has long faced complaints over failure to adequately police third-party sellers that run scams, and in 2022 it was added to the US Trade Representative’s “Notorious Markets” list of outlets known for harboring counterfeit goods and piracy.
A security firm examined code from previous versions of the shopping app that is stored on Github, and found both zero-day and N-day exploits embedded in it. The malware is designed to give the app wide-ranging system privileges, beyond what it discloses to the end user.
The shopping app had been available in countries outside of China via Google Play, and Google said that the current active version of the app it was hosting did not have malware in it. However, it was suspended anyway out of an abundance of caution. The app remains available on Apple’s App Store.
Reach of malware in question, may only impact Samsung devices
While Pinduoduo has barely attracted any attention at all in the United States, publisher PDD Holdings has been trying to break into the Western market with a more general shopping app called Temu that is similarly driven by third party sellers. The app became available in the US in September 2022 and has since seen about $50 million in sales made through it, experiencing enough success that PDD Holdings invested in a Super Bowl ad for it.
The malware news may end up cooling the shopping app’s hot start, particularly in the midst of a federal focus on the harm that China-based apps might cause to both US consumers and national security. There is thus far no indication that anything is wrong with Temu, but there is more general concern about any app that has the ability to pass user data to servers in China (where the Chinese government essentially has free access to it).
TikTok has served as a recent example of the new scrutiny that apps based in China are facing from world governments. Though there has yet to be any concrete demonstration that it is sharing data with the Chinese government or being used by the same as a propaganda outlet, the mere possibility has forced it through a series of legal hoops that has culminated in bans from federal government devices throughout the world. The Biden administration has also recently announced that TikTok will need to find a US buyer or be banned from the country’s app stores.
The investigation into the Pinduoduo malware incident continues, as Krebs on Security is reporting that it uses the same attack chain seen in an exploit that first emerged in Samsung devices in early 2021 and may only impact that company’s mobile devices. The attack chain was reportedly removed with a March 5 update to the shopping app. Samsung had patched this attack chain out of its devices with a March 2021 update, but it was only made public in November 2022 and it is possible that older devices from 2020 and earlier running kernel 4.14.113 that have not been updated in some time could still be compromised. The exploit essentially provides full access to target systems and creates an enduring backdoor for stealth data exfiltration that is hard to permanently remove.
Some security researchers in China that have studied the malware code believe the purpose was to pore through user data and find information related to competing shopping apps, using this to help Pinduoduo take market share from them. The company has not responded to the issue as of yet, other than a general denial of Google’s report from PDD Holdings.
Ted Miracco, CEO of Approov, notes that the fact that Google Play is banned in China (after the company voluntarily removed many of its services from the country and accused the government of assorted cyber attacks on its users) opens up a unique pathway for this sort of scheme to work.
“Mobile attestation is the process involved in verifying that the app was signed by a trusted party and has not been modified since it was signed. If mobile app developers use Google Play Integrity for the attestation process involved, they leave substantial end-users out of the process as both Huawei and Xiaomi smartphones typically do not have access to Google Play attestation capabilities and many Samsung devices support app attestation through their own Samsung Knox (a mobile security platform that provide security features, including app attestation). It is incumbent on developers to ensure that only genuine apps can access the APIs, otherwise they are opening up their users to the possibilities of malware or credentials being stolen from the app. Attestation across all mobile platforms is both necessary to protect APIs and to ensure the safety of the end users,” noted Miracco.
