Another Popular Chinese App raises Security Red Flags

As tech stocks continue to grapple with security and privacy failures, companies such as TikTok are front and center in their controversy. Security experts have raised another red flag about Chinese company, Pinduoduo, an app that has over 750 million subscribers has been flagged by multiple cyber analysts for their alleged distribution of malware on people phones, leading some to think it is a front for more invasive spying by the Chinese government.

Pinduoduo on its surface is an E-commerce giant, not unlike Amazon, based in China. Their model was based around building up a family network to allow for cheaper prices to be made available to the public. This model has allowed over 750 million users to download the app onto their phones across the globe, supposedly allowing people easier way to get cheaper prices for goods.(1)

Unfortunately, this ease of access has come with a big issue, something that former coders and several security analysts have discovered. The application, when placed on devices, are able to push forward malware into them and start sending data back to the source. Even if the app was subsequently deleted, the program still allowed it to find a way to push updates through, making it nearly impossible to remove the entire program with conventional measures as they found a way around the normal review process that Google Play and Apple Store uses to find such malware.

The issues stem from an exploit discovered on Androids regarding information access. The researchers found code designed to achieve “privilege escalation”: a type of cyberattack that exploits a vulnerable operating system to gain a higher level of access to data than it’s supposed to have, according to experts. They took advantage of over 50 exploits, including many in the original equipment manufacturing code (OEM). These OEMs typically aren’t scrutinized as Android’s Open-Source Project, the foundation for many of the phones that use Android based programs. In the words of Oversecured and Android Security Expert, Sergey Toshin, the exploits allowed Pinduoduo access to users’ locations, contacts, calendars, notifications, and photo albums without their consent. They were also able to change system settings and access users’ social network accounts and chats, he said.” (2)

The fact that an application can do this is bad enough. However, Pinduoduo being Chinese based makes it more worrisome given recent headlines relating to TikTok and other software. Some people believe correctly that the Chinese government would be able to force the company app to spy on people, using the applications to steal or even copy many personal data, one of the reasons Google Play took it off its store, the other being the Malware’s ability getting around its checks and balances. This further compounds another application’s issues especially in the US. TikTok has been targeted by US lawmakers over the perceived ability for the Chinese government to be able to spy on other people’s devices. Though the government does not currently have anything on the floor to debate banning the app, Piuduoduo’s malware infiltrating phones has made many people weary of any other apps that could have similar issues to these.

Pinduoduo’s malware being used to exploit various phones features is an alarm bell for anyone. If an application can do this, so can hackers if they so choose. The best way to prevent these exploits is to limit who has access to your data. You also should continue to update your phone and computers regularly to make sure the newest patches are downloaded and patched in.