Pinduoduo, a Chinese retail app, has been caught utilizing malware to acquire personal information.
Have you ever felt that your cell phone was listening to you? I think it is safe to say that everyone has had a conversation with someone about a topic, and the next time you get on your smartphone app, you see apps advertising the product that was directly related to the conversation. One of China’s most popular retail apps, Pinduoduo, has been caught red-handed utilizing malware to acquire personal information. The app bypasses a user’s cell phone security, monitors user activities, checks notifications, reads private messages, and changes your phone’s settings.
This level of intrusion has never been seen from a mainstream company like Pinduoduo. It would be equivalent to Amazon being caught doing this in America. Some might say this is the type of governmental overreach that occurs in China all the time. However, the Chinese government enacted comprehensive data privacy legislation in 2021 to crack down on companies attempting to utilize discovered vulnerabilities software to gather information without having a person’s permission to do so.
What should be concerning to us here in the United States is that Pinduoduo is the sister company to Temu. It recently launched in the US and used a Superbowl commercial in February to introduce itself to our country. The Temu app is currently topping the US download charts and is expanding its reach at a rapid pace in many western markets. Pinduoduo currently has 750 million users in China. If their app had been written with malware code embedded in it, it’s not too far of a stretch to think Temu’s smartphone app was also developed with the same nefarious code.
According to CNN, “according to a current Pinduoduo employee, the company set up a team of about 100 engineers and product managers to dig for vulnerabilities in Android phones, develop ways to exploit them — and turn that into profit.” This was an intentional effort to exploit their customers and undermine their competition by collecting user data on their smartphone apps. They even attempted to disguise what they were doing by initially only targeting users in small towns and rural areas and staying away from people living in megacities like Shanghai or Beijing to reduce the risk of being exposed.
Once the initial story broke at the end of February by a cybersecurity firm called Dark Navy, Pinduoduo immediately released an update of its smartphone app, version 6.50.0. This update removed the exploits that were in the previous versions. The team that had specifically been working on exploiting Android vulnerabilities was disbanded and most of the engineers transferred to different departments at their subsidiary Temu.
The Chinese Ministry of Industry and Technology is the governmental body that is responsible for enforcing the newly enacted regulations on companies within their country. This is turning out to be a major embarrassment for that department as Pinduoduo conducted these privacy data violations right out in plain view of them. Only when an individual cybersecurity firm decided to investigate was the discovery made and reported about the app’s transgressions.
All eyes will be watching the fallout of this revelation both in China and around the world as governments see what kind of recourse is taken for a major company that blatantly ignored privacy data laws. Every major corporation will also be keeping an eye on it so they can determine how closely their operations need to follow these regulations. It will certainly set a precedent and a standard for all corporations to follow moving forward.