PSA: Android customers with apps from Pinduoduo ought to strongly take into account uninstalling them, particularly in the event that they received these apps from outdoors the Google Play retailer. Current reviews point out the corporate’s apps include malicious code that creates backdoors and downloads extra software program with out the consumer’s consent.
Google just lately suspended e-commerce large Pinduoduo’s official Play retailer app and warned customers that a number of of the corporate’s different apps include malware. Pinduoduo’s most important Google Play retailer app (and the Apple App Retailer’s, for that matter) is probably going innocent, however Google mentioned variations from different distribution channels are harmful.
Third-party reviews say Pinduoduo’s apps attempt to set up widgets on affected units, forestall customers from uninstalling apps, observe put in app utilization stats, entry WiFi data, and pull location knowledge. To any extent further, trying to put in these apps will set off Google Play Defend—Google’s anti-malware suite for Android. Safety researchers reported that Pinduoduo exploited Android vulnerability CVE-2023-20963, which Google patched earlier this month. The malware is perhaps an effort to inflate the corporate’s consumer numbers artificially.
Google detected the malware on the Samsung, Huawei, Oppo, and Xiaomi app shops. Though customers in western nations can depend on safety from Google’s evaluate course of, the Play retailer is not obtainable in Pinduoduo’s native China. The corporate vehemently denied accusations from Google and safety researchers, declaring different apps suspended from Google Play across the identical time.
As a result of Pinduoduo is a Chinese language firm with round 800 million customers, it is easy to see its suspension by American large Google as anti-China fearmongering, particularly in gentle of Congress’ risk to ban TikTok. Nonetheless, the earliest reviews accusing Pinduoduo of spreading malware got here from Chinese language safety researchers. A later evaluation from cybersecurity firm Lookout seems to validate the preliminary findings.
Earlier this month, Google’s safety staff warned customers about 18 zero-day exploits in in style Android units, together with the corporate’s Pixel 6 and seven telephones. Google is working to harden its platform by baking safety into the Android firmware.
This safety scenario is among the issues probably arising from Android’s extreme stage of fragmentation, which may very well be inflicting loads of different points for software program builders and {hardware} producers supporting the platform.