The Pinduoduo malware executed a dangerous zero-day against millions of Android devices

Google Android figure standing on laptop keyboard with code in background
(Image credit: Shutterstock / quietbits)

A new report has claimed Pinduoduo, a major Chinese shopping app, took advantage of a zero-day vulnerability in the Android operating system to elevate its own privileges, steal personal data from infected endpoints, and install malicious apps. 

The allegations were confirmed by multiple sources, including cybersecurity experts Kaspersky, which analyzed “previous versions” of the app that were still distributed through a local app store in China, and concluded that it exploited a flaw to install backdoors. 

“Some versions of the Pinduoduo app contained malicious code, which exploited known Android vulnerabilities to escalate privileges, download and execute additional malicious modules, some of which also gained access to users’ notifications and files,” Igor Golovin, a Kaspersky security researcher, told Bloomberg.

Pinduoduo security

Google and Android are both not available in China, meaning the Play Store isn’t available there, either. 

However, ArsTechica reports that the versions of Pinduoduo that can be found on both the Play Store and the Apple store are clean. Still, Google pulled it from its app repository last week, and urged its users to uninstall it if they have it.

The announcement called the app “harmful”, Bloomberg reported, and told its users that their data and devices were at risk. PDD, the company behind the app, denied any wrongdoing and said the apps were clean.

“We strongly reject the speculation and accusation that the Pinduoduo app is malicious from an anonymous researcher,” the company told ArsTechnica in an email. “Google Play informed us on March 21 morning that Pinduoduo APP, among several other apps, was temporarily suspended as the current version is not compliant with Google’s Policy, but has not shared more details. We are communicating with Google for more information.” 

Lookout’s first analysis is that at least two versions of the app exploited a flaw tracked as CVE-2023-20963, which was patched roughly two weeks ago. It is an escalation of privilege flaw which was being exploited before Google publicly disclosed its existence. 

According to Christoph Hebeisen of Lookout, this is a “very sophisticated attack for an app-based malware”. “In recent years, exploits have not usually been seen in the context of mass-distributed apps. Given the extremely intrusive nature of such sophisticated app-based malware, this is an important threat mobile users need to protect against.”

Via: Bloomberg

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.