The Pinduoduo malware executed a dangerous zero-day against millions of Android devices

Top Chinese app was recently pulled from the Play Store following security concerns

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A new report has claimed Pinduoduo, a major Chinese shopping app, took advantage of a zero-day vulnerability in the Androidoperating systemto elevate its own privileges, steal personal data from infected endpoints, and install malicious apps.

The allegations were confirmed by multiple sources, including cybersecurity experts Kaspersky, which analyzed “previous versions” of the app that were still distributed through a local app store in China, and concluded that it exploited a flaw to install backdoors.

“Some versions of the Pinduoduo app contained malicious code, which exploited known Android vulnerabilities to escalate privileges, download and execute additional malicious modules, some of which also gained access to users’ notifications and files,” Igor Golovin, a Kaspersky security researcher, told Bloomberg.

Pinduoduo security

Googleand Android are both not available in China, meaning thePlay Storeisn’t available there, either.

However,ArsTechicareports that the versions of Pinduoduo that can be found on both the Play Store and theApplestore are clean. Still,Google pulled it from its app repository last week, and urged its users to uninstall it if they have it.

The announcement called the app “harmful”, Bloomberg reported, and told its users that their data and devices were at risk. PDD, the company behind the app, denied any wrongdoing and said the apps were clean.

Over 50 Chinese apps banned in fresh crackdown by the Indian government>AliExpress among 43 more Chinese apps banned: How will it impact Indian small businesses?>Keep your business safe with the best endpoint protection for small business

“We strongly reject the speculation and accusation that the Pinduoduo app is malicious from an anonymous researcher,” the company told ArsTechnica in an email. “Google Play informed us on March 21 morning that Pinduoduo APP, among several other apps, was temporarily suspended as the current version is not compliant with Google’s Policy, but has not shared more details. We are communicating with Google for more information.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Lookout’s first analysis is that at least two versions of the app exploited a flaw tracked as CVE-2023-20963, which was patched roughly two weeks ago. It is an escalation of privilege flaw which was being exploited before Google publicly disclosed its existence.

According to Christoph Hebeisen of Lookout, this is a “very sophisticated attack for an app-based malware”. “In recent years, exploits have not usually been seen in the context of mass-distributed apps. Given the extremely intrusive nature of such sophisticated app-basedmalware, this is an important threat mobile users need to protect against.”

Via:Bloomberg

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Scotland vs South Africa live stream: how to watch 2024 rugby union Autumn International online from anywhere