According to a new report, Pinduoduo, a major Chinese shopping app, has exploited a zero-day vulnerability in the Android operating system to increase its own privileges, steal personal data (opens in new tab) from infected endpoints and malicious apps to install.
The allegations were corroborated by multiple sources, including cybersecurity expert Kaspersky, who analyzed “previous versions” of the app still distributed through a local app store in China and concluded that it exploited a flaw to install backdoors .
“Some versions of the Pinduoduo app contained malicious code that exploited known Android vulnerabilities to escalate privileges, download and run additional malicious modules, some of which also gained access to users’ notifications and files,” said Igor Golovin, a Security researchers from Kaspersky Bloomberg.
Pinduoduo security
Google and Android are both unavailable in China, which means the Play Store isn’t available there either.
However, ArsTechica (opens in new tab) reports that the versions of Pinduoduo found on both the Play Store and Apple Store are clean. Despite this, Google pulled it from its app repository last week and urged its users to uninstall it if they have it.
The announcement called the app “harmful,” Bloomberg reported, notifying its users that their data and devices were at risk. PDD, the company behind the app, denied any wrongdoing and said the apps are clean.
“We firmly reject the speculation and allegations by an anonymous researcher that the Pinduoduo app is malicious,” the company told ArsTechnica in an email. “Google Play informed us on the morning of March 21 that Pinduoduo APP has been temporarily suspended along with several other apps due to the current version not being compliant with Google’s policy, but has not shared any further details. We are communicating with Google for more information.”
Lookout’s initial analysis states that at least two versions of the app exploited a bug tracked as CVE-2023-20963 that was patched about two weeks ago. It is an escalation of the privilege flaw that was exploited before Google publicly announced its existence.
According to Lookout’s Christoph Hebeisen, this is a “very sophisticated attack for an app-based malware”. “In recent years, exploits have not typically been seen in the context of mass-distributed apps. Given the extremely intrusive nature of such sophisticated app-based malware, this is a key threat that mobile users need to protect against.”
About: Bloomberg (opens in new tab)
