BEIJING: It is one of China’s most popular shopping apps, selling clothing, groceries, and almost everything else under the sun to more than 750 million monthly users. But then, cybersecurity researchers claim that it can also bypass the cell phone security of users to monitor activities on other apps, change settings check notifications, and read private messages. And it takes work to remove once installed.
While many other apps collect vast troves of data of users, sometimes without explicit consent, experts say e-commerce giant Pinduoduo has taken privacy and data security violations to the other level.
After a thorough investigation, CNN spoke to half a dozen cybersecurity teams from the United States, Asia, and Europe and multiple current and former Pinduoduo employees after getting a tipoff.
Several experts found malware on the Pinduoduo app that used flaws in the Android operating system. According to company insiders, the exploits increased sales by snooping on customers and rivals.
According to Mikko Hyppönen, chief research officer at WithSecure, a Finnish cybersecurity company, “We haven’t seen a major app like this trying to increase their privileges to acquire access to things that they’re not intended to gain access to.”
Malware, short for malicious software, is any programme designed to steal data or disrupt computer and mobile device operations. The Pinduoduo app’s evidence of sophisticated malware comes when Chinese-developed apps like TikTok are being closely analysed due to data security concerns.
The popular short-video app, whose CEO Congress interrogated Shou Chew for five hours last week on its relations with the Chinese government, is being called for a countrywide ban by certain American politicians.
The discoveries will also increase interest in Temu, the foreign sister app of Pinduoduo, which is now dominating US download rankings and rapidly growing in other Western markets. Both are owned by PDD, a global corporation with Chinese roots listed on the Nasdaq.
Temu has not been connected, but Pinduoduo’s alleged behaviour could cast doubt on the global expansion of its sibling app. No proof exists that Pinduoduo gave information to the Chinese authorities.
But, given Beijing’s considerable influence over the companies that fall under its purview, US senators are worried that any company doing business in China would be compelled to participate in a wide range of security operations.
The results come after Google removed Pinduoduo from the Play Store in March due to malware found in some software versions.
A subsequent Bloomberg report stated that a Russian cybersecurity company had also discovered suspected malware in the app. The Pinduoduo app is not malicious, as claimed by Pinduoduo in a previous statement.
CNN said it repeatedly contacted PDD by phone and email for a comment but has not heard back.
