E-commerce company with hundreds of millions of users accused of distributing Android malware

PSA: Android users with apps from Pinduoduo should strongly consider uninstalling them, especially if they got those apps from outside the Google Play store. Recent reports indicate the company's apps contain malicious code that creates backdoors and downloads additional software without the user's consent.

Google recently suspended e-commerce giant Pinduoduo's official Play store app and warned users that several of the company's other apps contain malware. Pinduoduo's main Google Play store app (and the Apple App Store's, for that matter) is likely harmless, but Google said versions from other distribution channels are dangerous.

Third-party reports say Pinduoduo's apps try to install widgets on affected devices, prevent users from uninstalling apps, track installed app usage stats, access WiFi information, and pull location data. From now on, attempting to install these apps will trigger Google Play Protect---Google's anti-malware suite for Android. Security researchers reported that Pinduoduo exploited Android vulnerability CVE-2023-20963, which Google patched earlier this month. The malware might be an effort to inflate the company's user numbers artificially.

Google detected the malware on the Samsung, Huawei, Oppo, and Xiaomi app stores. Although users in western countries can rely on protection from Google's review process, the Play store isn't available in Pinduoduo's native China. The company vehemently denied accusations from Google and security researchers, pointing out other apps suspended from Google Play around the same time.

Because Pinduoduo is a Chinese company with around 800 million users, it's easy to see its suspension by American giant Google as anti-China fearmongering, especially in light of Congress' threat to ban TikTok. However, the earliest reports accusing Pinduoduo of spreading malware came from Chinese security researchers. A later analysis from cybersecurity company Lookout appears to validate the initial findings.

Earlier this month, Google's security team warned users about 18 zero-day exploits in popular Android devices, including the company's Pixel 6 and 7 phones. Google is working to harden its platform by baking security into the Android firmware.

This security situation is one of the problems possibly arising from Android's severe level of fragmentation, which could be causing plenty of other issues for software developers and hardware manufacturers supporting the platform.