"‘I’ve never seen anything like this:’ One of China’s most popular apps has the ability to spy on its users, say experts" 3 April 2023

It is one of China’s most popular shopping apps, selling clothing, groceries and just about everything else under the sun to more than 750 million users a month.

But according to cybersecurity researchers, it can also bypass users’ cell phone security to monitor activities on other apps, check notifications, read private messages and change settings.

And once installed, it’s tough to remove.

While many apps collect vast troves of user data, sometimes without explicit consent, experts say e-commerce giant Pinduoduo has taken violations of privacy and data security to the next level.

In a detailed investigation, CNN spoke to half a dozen cybersecurity teams from Asia, Europe and the United States — as well as multiple former and current Pinduoduo employees — after receiving a tipoff.

Multiple experts identified the presence of malware on the Pinduoduo app that exploited vulnerabilities in Android operating systems. Company insiders said the exploits were utilized to spy on users and competitors, allegedly to boost sales.

“We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to,” said Mikko Hyppönen, chief research officer at WithSecure, a Finnish cybersecurity firm. [...]

The findings follow Google’s suspension of Pinduoduo from its Play Store in March, citing malware identified in versions of the app.

An ensuing report from Bloomberg said a Russian cybersecurity firm had also identified potential malware in the app.

Pinduoduo has previously rejected “the speculation and accusation that Pinduoduo app is malicious.”

CNN has contacted PDD multiple times over email and phone for comment, but has not received a response. [...]