According to a Bloomberg report yesterday, security researchers from Kaspersky Lab confirmed that the Pinduoduo app contained malicious code after Google removed it from its official app store, the Play Store.

In one of the first public reports of malicious code,Kaspersky explains how the app elevates itself to compromise user privacy and data security. It tested versions of the apps distributed through China’s local app stores, with Huawei Technologies Co Ltd, Tencent Holdings Ltd and Xiaomi Corp operating some of the largest app marketplaces.

The findings, which Kaspersky shared with Bloomberg, are among the clearest explanations from the independent security team for triggering Google’s actions and malware warnings last week. The cybersecurity firm, which has been instrumental in uncovering some of the biggest cyberattacks in history, said it found evidence of early versions of Pinduoduo exploiting system software vulnerabilities to install backdoors and gain unauthorized access to user data and notifications .

Those conclusions are largely in line with those posted online by other researchers over the past few weeks, though Bloomberg News has yet to confirm the veracity of earlier reports.

At present, discussions on this matter on Weibo have been on the hot search list.

Cybersecurity expert @sunwear also had this to say on the matter:

In addition to Kaspersky Lab, an analysis of the non-Google Play version of the Pinduoduo app by researchers from another security company, Lookout, also confirmed the allegations made by the independent security research organization DarkNavy. Preliminary analysis shows that at least two non-Play versions of the Pinduoduo app exploit the vulnerability CVE-2023-20963.

The vulnerability was disclosed by Google on March 6. Using this vulnerability can escalate privileges, and the entire process does not require user interaction. The fix was only made available to end users two weeks ago.

Researchers at Lookout analyzed two versions of Pinduoduo released before March 5, both of which contained code to exploit CVE-2023-20963. Both versions were signed with the same key as the Pinduoduo Google Play version.

Currently there is no evidence that the versions of Play Store and Apple App Store contain malicious code, and Pinduoduo apps downloaded through Google and Apple’s official stores are safe. But Android users who downloaded through third-party markets are not so lucky. Given that Pinduoduo has hundreds of millions of users, the number of affected users may be very staggering.

further reading