‘I've never seen anything like this:' One of China's most popular apps has the ability to spy on its users, say experts

CNN

It is China's most loved shopping app, selling clothes, groceries, and almost everything else to more than 750,000,000 users per month.

Cybersecurity researchers believe it is possible to bypass cell phone security and monitor activity on other apps, get notifications, read private messages, change settings, and check notifications.

It's also difficult to take it down once you have installed it.

Experts say that Pinduoduo, an e-commerce company, has gone beyond the normal privacy and security measures to collect large amounts of user data.

CNN conducted a thorough investigation after being tipped off and spoke with half a dozen cybersecurity professionals from Asia, Europe, and the United States.

Multiple experts discovered malware in the Pinduoduo application that exploits vulnerabilities in Android operating system. According to company insiders, the exploits were used to spy on competitors and users in order to increase sales.

"We haven’t seen a mainstream application like this trying to increase their privileges in order to gain access,' Mikko Hypponen chief research officer at WithSecure (a Finnish cybersecurity company) said.

"This is a very unusual situation, and it is quite damning for Pinduoduo.

Malware is shorthand for malicious software. It refers to software that attempts to steal data from computers or interfer with mobile devices.

The evidence of sophisticated malware in Pinduoduo's app is a result of intense scrutiny of TikTok apps from China, amid concerns about data security.

Some American legislators are calling for a ban on the popular short video app. Congress grilled Shou Chew, the CEO of the app, for five hours last Wednesday about their relations with China.

These revelations will likely draw attention to Pinduoduo’s international sister app Temu. It is currently at the top of US download charts and expanding rapidly in other Western countries. They are both owned by PDD, a multi-national company with roots in China.

Although Temu was not implicated in the alleged crimes, Pinduoduo's alleged actions could cast a shadow on its sister app's global expansion.

There is no evidence Pinduoduo gave data to the Chinese government. However, Beijing has a significant influence over the businesses that fall under its control. This raises concerns among US lawmakers about whether any Chinese company could be forced into cooperation with security activities.

These findings come after Google suspended Pinduoduo's Play Store account in March due to malware found in previous versions of the app.

Bloomberg reported that a Russian cybersecurity firm had identified malware in the app.

Pinduoduo previously denied the'speculation and accusation' that Pinduoduo's app was malicious.

CNN reached out to PDD several times via email and telephone for comments, but has yet to receive a reply.

Rise to Success

Pinduoduo boasts a user base of three quarters of China's online population, and a market worth three times as high as eBay (EBAY). But it wasn't always an internet shopping giant.

Colin Huang, an ex-Google employee, founded the startup in Shanghai in 2015. The startup was trying to make a mark in a market that has been dominated for a long time by ecommerce giants JD.com and Alibaba (BABA).

It was able to offer steep discounts for friends-and-family buying orders, and it focuses on rural areas with lower incomes.

Pinduoduo saw triple-digit growth in monthly usages from the beginning of 2018, when it was listed in New York. According to earnings reports, however, the growth in monthly users had slowed down to about 50% by the middle 2020 and would continue to fall until then.

According to a current employee of Pinduoduo, the company established a team consisting of around 100 engineers and product managers in 2020 to find vulnerabilities in Android phones and develop exploitable ways to exploit them.

The source claimed that the company initially targeted users only in rural areas and small towns, and then moved on to megacities like Beijing and Shanghai.

They stated that their goal was to lower the risk of being exposed.

The company was able, through extensive data collection, to build a complete picture of user habits, interests, and preferences.

They said that this allowed them to improve their machine learning model to provide more personalized push notifications, ads, and push notifications, which attracted users to the app and encouraged them to place orders.

After questions regarding their activities surfaced, the source said that the team was disbanded in March.

CNN repeated requests for comment from PDD were not answered by the PDD.

What experts discovered

CNN approached researchers from Check Point Research in Tel Aviv, Delaware, and Hypponen's WithSecure to conduct independent analysis of 6.49.0, the app that was released on Chinese app store shelves in February.

Google Play isn't available in China. Android users in China download their apps from their local stores. Google had suspended Pinduoduo in March after it discovered malware in the off-Play version of the app.

Researchers discovered code that was designed to allow 'privilege elevation'. Experts describe this type of cyberattack as one that exploits vulnerabilities in an operating system to gain higher levels of access to data.

Hypponen stated that he had reverse engineered the code and could confirm that it attempts to escalate rights, tries gain access to things that normal apps would not be able do on Android phones.

Three quarters of all smartphone users in China use the Android operating system.

Hypponen stated that the app could continue to run in background and not be uninstalled. This allowed it to increase its monthly active users rates. He said that the app could also spy on its competitors by monitoring their activity on shopping apps and obtaining information about them.

Check Point Research also identified ways that the app could evade scrutiny.

Researchers found that the app used a method to push updates to its users without requiring approval from the app store. This allowed them to spot malicious apps.

Some plug-ins also showed the intent to hide potentially harmful components under legitimate file names such as Google's.

They stated that malware developers use this technique to inject malicious code into legitimate applications.

Android is targeted

Three quarters of all smartphone users in China use the Android operating system. According to Daniel Ives, Wedbush Securities' analyst, Apple (AAPL), Apple's iPhone holds 25% of the market.

Sergey Toshin (founder of Oversecured) stated that Pinduoduo's malware targeted various Android-based operating system, including those used for by Samsung, Huawei and Xiaomi.

CNN reached out to the following companies for comment.

Toshin described Pinduoduo to be the'most dangerous malware' among all mainstream apps.

"I have never seen anything like it before." He said, "It's super expansive."

Globally, most phone manufacturers customize the Android Open Source Project (AOSP) core Android software to add unique features to their devices.

Toshin discovered that Pinduoduo had exploited approximately 50 Android system vulnerabilities. Toshin said that most of the exploits were tailored for custom parts, known as the original equipment maker (OEM) code. This code tends to be less frequently audited than AOSP, and therefore is more vulnerable to vulnerabilities.

Pinduoduo also exploited a variety of AOSP vulnerabilities. One was flagged by Toshin at Google in February 2022. He said that the bug was fixed by Google in March.

Toshin claims that the exploits gave Pinduoduo unrestricted access to user's locations, contacts and calendars. He said that they were also able change system settings and gain access to chats and social networks accounts of users.

CNN interviewed six teams for this story. Three of them did not complete full examinations. However, their initial reviews revealed that Pinduoduo requested a lot more permissions than what is required for shopping apps.

These permissions included "potentially invasive permissions" such as "set wallpaper" and "download without notification," Rene Mayrhofer (director of engineering at Institute of Networks and Security, Johannes Kepler University Linz, Austria) said.

The team is disbanded

In February, Dark Navy, a Chinese cybersecurity company, raised suspicions about malware in Pinduoduo’s app. Although the analysis did not identify the shopping giant directly, it spread quickly to other researchers who were able to name the company. Some analysts confirmed the original findings with their own reports.

According to CNN's two sources, Pinduoduo released a new version of its app on March 5th, version 6.50.0. This removed all exploits.

According to the Pinduoduo source, Pinduoduo disbanded two days later the team of engineers, product managers, and program managers that had created the exploits.

Team members were locked out of Knock, Pinduoduo’s workplace communication app. They also lost access to company files via the internal network. According to a source, engineers also lost access to data sheets, big data and the log system.

The majority of the team was transferred to Temu. According to the source, they were assigned to different departments within the subsidiary. Some worked on push notifications development or marketing.

They said that a core group of 20 cybersecurity engineers, who are experts in exploiting vulnerabilities, remains at Pinduoduo.

Oversecured's Toshin, who reviewed the update, stated that although the exploits had been removed, the underlying code could still be activated to launch attacks.

Oversight failure

Pinduoduo was able to increase its user base despite the Chinese government's clampdown on Big Tech, which began in late 2020.

The Ministry of Industry and Information Technology began a massive crackdown against apps that illegally collect and used personal data in 2011.

Beijing's first comprehensive legislation on data privacy was passed in 2021.

The Personal Information Protection Law prohibits any party from illegally collecting, processing or transmitting personal information. They are also prohibited from exploiting security holes in the internet or engaging in activities that could endanger cybersecurity.

Tech policy experts agree that Pinduoduo's malware-like behavior would violate these laws and should have been reported to the regulator.

Kendra Schaefer, a Trivium China tech policy expert, said that this would be embarrassing for their Ministry of Industry and Information Technology because it is their job. "They are supposed to check Pinduoduo and the fact they didn't find anything is embarrassing for regulators.

It regularly publishes lists that name and shame apps that violate user privacy rights. It also publishes separate lists of apps that have been removed from the app stores because they are not in compliance with regulations.

Pinduoduo didn't appear on any of these lists.

They are supposed to check Pinduoduo and it is shameful for the regulator that they didn’t find anything.

Kendra Schaefer, tech policy expert

CNN reached out to China's Ministry of Industry and Information Technology and Cyberspace Administration for comments.

Some cybersecurity experts have questioned the motives regulators aren't taking action on Chinese social media.

"Probably none of our regulators understand programming and coding, or technology," said a cybersecurity expert with 1.8 million followers. A cybersecurity expert with over 1.8 million followers posted a viral post last week on Weibo. It is a platform similar to Twitter.

The post was removed the following day.