Chinese E-Commerce Giant Pinduoduo Allegedly Spys on Users

Days after Google suspended the popular budget e-commerce application Pinduoduo from the Play Store, researchers are alleging that the Chinese app can bypass phones’ security and monitor activities of others apps, including access to private messages and changing settings.

See Also: Live Webinar Today | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion

The app was suspended from Play Store for malware presence on the versions of the Chinese app downloadable from other online stores in March. The app, which is impossible to remove once installed, collects user data without consent, according to a report from CNN.

“E-commerce giant Pinduoduo has taken violations of privacy and data security to the next level,” CNN reported, citing multiple cybersecurity experts from Asia, Europe and the United States.

A spokesperson for Pinduoduo did not immediately respond to Information Security Media Group’s request for comment.

Pinduoduo parent company PDD Holdings recently announced its fourth-quarter revenue of $5.79 billion, a figure below expectations. The company said it has 800 million monthly active users across the globe. Google’s suspension did not appear to affect Temu, Pinduoduo’s app for the U.S. market.

Mikko Hyppönen, chief research officer at Finnish cybersecurity firm WithSecure, told CNN that he has not seen an app trying “to escalate their privileges to gain access to things that they’re not supposed to gain access to.”

“The methods used by the Pinduoduo app in China are highly unusual,” Hyppönen said in a tweet. “There are a couple of scenarios of what might have happened here, and all of them are bad: Pinduoduo is hacked, Pinduoduo has a malicious insider, Pinduoduo lost their signing key or, Pinduoduo hacked their own users.

TechCrunch also reported that multiple Chinese security researchers had flagged malicious code designed to monitor users within Pinduoduo versions.