Millions of Android devices fall victim to Chinese app
Chinese e-commerce app Pinduoduo has infected millions of Android devices with EvilParcel. By exploiting a weakness in the app, the rogue software could be installed on the devices.
pin duo
Pinduoduo is no small fish: it is the second largest e-commerce company in China (a kind of AliExpress) and has 751.3 million monthly active users (!). Apps that fall under the brand have been embarrassed because there was a so-called zero-day weakness in the app. As a result, personal data has been stolen from millions of users of the app, in addition to the fact that a malicious app has also been installed. Researchers from the security organization Lookout report this (via TechCrunch).
The malicious versions of the Pinduoduo app could not be found in the Google Play store, but were available through third parties. However, the rogue version that is now doing the rounds does affect the app in the Play Store: it has been removed to ensure that there is no doubt whether someone has installed the correct or incorrect app. So the apps that do have the problem were never available through the Play Store, only through third parties.
Related articles
Weakness in the app
The weakness in the app is called CVE-2023-20963 and although the patch was released two weeks ago, this was not in time for many. It worked like this: by downloading the app from a third party, you gave permission to do all kinds of things on your phone. That permission was used to download code from a website the hacker built and install the app on the device.
At least: Pinduoduo disagrees: its app versions were not malicious, it states: “We reject the speculation and accusation that the Pinduoduo app is malicious. Google Play informed us on March 21 morning that Pinduoduo app, in addition to several other apps, has been temporarily suspended because the current version does not comply with Google’s policies, but has not shared more details. We will communicate with Google for more information.”
Related articles
Check your phone
Meanwhile, speculation is rampant on Github and elsewhere on the internet. For example, there is someone called davinci1012 who has posted a ‘Pinduoduo backdoor’ on Github and there are more strange events that indicate that it really is a targeted attack. To be sure, check whether you have this app on your smartphone and remove it as soon as possible: even if it is the ‘real’ one. If Google doesn’t want it in the App Store right now, you probably don’t want it on your phone either, so close to so much personal data.