KEY POINTS

  • Cybersecurity researchers told CNN that Pinduoduo can "bypass users' cell phone security"
  • A researcher said the app can prevent itself from being uninstalled
  • One researcher described the Chinese e-commerce app as "the most dangerous malware"

Pinduoduo, one of China's most popular shopping apps, has been accused of spying on users by cybersecurity researchers, CNN revealed in an exclusive report Sunday.

The online shopping app was recently suspended by Google due to alleged malware found in certain versions of it.

"We haven't seen a mainstream app like this trying to escalate their privileges to gain access to things that they're not supposed to gain access to," Mikko Hyppönen, chief research officer at Finnish cybersecurity firm WithSecure, told the outlet.

CNN talked to six cybersecurity teams from the U.S., Europe and Asia regarding the app. Multiple former and current Pinduoduo employees also spoke with the outlet.

Cybersecurity researchers revealed that Pinduoduo could "bypass users' cell phone security to monitor activities on other apps, check notifications, read private messages and change settings," as per the CNN report.

An independent analysis of the Pinduoduo app's 6.49.0 version — which was done by researchers from WithSecure, app security startup Oversecured and Tel Aviv-based cyber firm Check Point Research — found that it "tries to gain access to things normal apps wouldn't be able to do on Android phones," according to CNN.

Check Point Research found ways on how the app has been evading scrutiny for its activities. The analysis also found that Pinduoduo continues to run in the background. It also has the ability to prevent uninstalls, Hyppönen added.

Meanwhile, a current Pinduoduo employee told CNN that in 2020, the online retail giant established a group of about 100 engineers and product managers to search for Android phone vulnerabilities and develop ways to exploit the said glitches.

"The goal was to reduce the risk of being exposed," the source, who asked for anonymity for fear of retaliation, told the outlet.

The team has been disbanded since earlier this month after questions about its activities emerged, according to the source.

Sergey Toshin, founder of Oversecured, described Pinduoduo as "the most dangerous malware" among mainstream apps.

"I've never seen anything like this before. It's like, super expansive," he told CNN, adding that the Chinese app exploited about 50 Android system vulnerabilities.

Three of the six cybersecurity teams interviewed by CNN about Pinduoduo did not conduct a full analysis of the app. However, these teams' initial reviews of the app in question showed that it requested many permissions beyond the normal functions of an app that is supposed to be used for online shopping.

René Mayrhofer, head of the Institute of Networks and Security at the Johannes Kepler University Linz in Austria, told CNN that Pinduoduo had "potentially invasive permissions" such as downloading the app without notification and "set wallpaper."

The CNN exclusive came after Google suspended Pinduoduo from the Play Store earlier this month and tagged the e-commerce app as malware that monitored users. Google spokesperson Ed Fernandez said at the time that the suspension was made over "security concerns" and an investigation was ongoing.

A security researcher who requested anonymity told TechCrunch at the time of Google's suspension of Pinduoduo that their analysis found the app was utilizing "several zero-day exploits to hack users." A zero-day exploit is "the method hackers use to attack systems with a previously unidentified vulnerability," as per Kaspersky.

"We strongly reject the speculation and accusation by some anonymous researcher and non-conclusive response from Google that Pinduoduo app is malicious," Pinduoduo spokesperson Kong Ho told TechCrunch in an email.

The company also said the outlet "singled out" Pinduoduo in its report even as other apps have also been suspended from Google Play.

Google Play is not available in China, but the outlet's security research source said Pinduoduo and several other apps suspended by Google were available on the custom app stores of Xiaomi, Oppo, Samsung and Huawei.

Earlier last year, the U.S. Securities and Exchange Commission (SEC) added Pinduoduo, alongside others, to its provisional lineup of U.S.-listed Chinese firms that could face delisting.

Bloomberg reported at the time that the reason for placing Pinduoduo on the potential delisting lineup was due to the Chinese government refusing to allow U.S. access to the financial audits of the businesses in question.

Pinduoduo was founded in 2015 and went public in 2018, raising $1.6 billion in its initial public offering (IPO). The company claimed at the time that it had 195 million monthly users. Statista estimated that the app had approximately 751.3 million active monthly users in Q1 2022.

Illustration picture of Chinese e-commerce platform Pinduoduo Inc
Pinduoduo was founded in 2015 and went public with a $1.6 billion IPO. Reuters