Android apps digitally signed by China’s third-biggest e-commerce company exploited a zero-day vulnerability that allowed them to surreptitiously take control of millions of end-user devices to steal personal data and install malicious apps, researchers from security firm Lookout have confirmed.
The malicious versions of the Pinduoduo app were available in third-party markets, which users in China and elsewhere rely on because the official Google Play market is off-limits or not easy to access. No malicious versions were found in Play or Apple’s App Store. Last Monday, TechCrunch reported that Pinduoduo was pulled from Play after Google discovered a malicious version of the app available elsewhere. TechCrunch reported the malicious apps available in third-party markets exploited several zero-days, vulnerabilities that are known or exploited before a vendor has a patch available.
A preliminary analysis by Lookout found that at least two off-Play versions of Pinduoduo for Android exploited CVE-2023-20963, the tracking number for an Android vulnerability Google patched in updates that became available to end users two weeks ago. This privilege-escalation flaw, which was exploited prior to Google’s disclosure, allowed the app to perform operations with elevated privileges. The app used these privileges to download code from a developer-designated site and run it within a privileged environment.
The malicious apps represent “a very sophisticated attack for an app-based malware,” Christoph Hebeisen, one of three Lookout researchers who analyzed the file, wrote in an email. “In recent years, exploits have not usually been seen in the context of mass-distributed apps. Given the extremely intrusive nature of such sophisticated app-based malware, this is an important threat mobile users need to protect against.”
Hebeisen was assisted by Lookout researchers Eugene Kolodenker and Paul Shunk. The researcher added that Lookout’s analysis was expedited and that a more thorough review will likely find more exploits in the app.
Pinduoduo is an e-commerce app for connecting buyers and sellers. It recently was reported to have 751.3 million average monthly active users. While still smaller than its Chinese rivals Alibaba and JD.com, PDD Holdings, Pinduoduo’s publicly traded parent company, has become the fastest-growing e-commerce firm in that country.
After Google removed Pinduoduo from Play, PDD Holdings representatives denied the claims any of its app versions were malicious.
“We strongly reject the speculation and accusation that the Pinduoduo app is malicious from an anonymous researcher,” they wrote in an email. “Google Play informed us on March 21 morning that Pinduoduo APP, among several other apps, was temporarily suspended as the current version is not compliant with Google’s Policy, but has not shared more details. We are communicating with Google for more information.”
The company representatives didn’t respond to emails that asked follow-up questions and disclosed the results of Lookout’s forensic analysis.
Suspicions about the Pinduoduo app first surfaced last month in a post (English translation here) from a research service calling itself Dark Navy.
The English translation said that “well-known Internet manufacturers will continue to dig out new Android OEM-related vulnerabilities and implement vulnerability attacks on mainstream mobile phone systems in the current market in their publicly released apps.” The post didn’t name the company or the app, but it did say the app used a “bundle feng shui-Android parcel serialization and deserialization [exploit] that seems unknown in recent years.” The post included several code snippets found in the allegedly malicious app. One of those strings is “LuciferStrategy.”