In accordance with a new report, Pinduoduo, a popular Chinese shopping app, exploited a zero-day vulnerability in the Android operating system to uplift its own privileges, rob personal data from infected endpoints, and install malicious apps.
Numerous sources validated the allegations, including cybersecurity firm Kaspersky, which examined "previous versions" of the app that were still being distributed through a Chinese app store and concluded that it exploited a flaw to install backdoors.
“Some versions of the Pinduoduo app contained malicious code, which exploited known Android vulnerabilities to escalate privileges, download and execute additional malicious modules, some of which also gained access to users’ notifications and files,” Igor Golovin, a Kaspersky security researcher, told Bloomberg.
Google and Android are both not available in China, meaning the Play Store isn’t available there, either. According to ArsTechica, the versions of Pinduoduo available on both the Play Store and the Apple Store are clean. Nonetheless, Google removed it from its app repository last week and advised users to uninstall it if they had it.
According to Bloomberg, the announcement labeled the app "harmful" and alerted users that their data and devices were at risk. PDD, the app's developer, denied any wrongdoing and stated that the apps were clean.
“We strongly reject the speculation and accusation that the Pinduoduo app is malicious from an anonymous researcher,” the company told ArsTechnica in an email. “Google Play informed us on March 21 morning that Pinduoduo APP, among several other apps, was temporarily suspended as the current version is not compliant with Google’s Policy, but has not shared more details. We are communicating with Google for more information.”
As per Lookout's initial investigation, at least two versions of the app exploited a flaw known as CVE-2023-20963, which was patched about two weeks ago. It's an escalation of privilege flaw that was being exploited before Google made it public.
According to Lookout's Christoph Hebeisen, this is a "very sophisticated attack for an app-based malware. In recent years, exploits have not usually been seen in the context of mass-distributed apps. Given the extremely intrusive nature of such sophisticated app-based malware, this is an important threat mobile users need to protect against.”