Chinese e-commerce app Pinduoduo infected millions of Android devices with EvilParcel. By exploiting a vulnerability in an application, rogue software can be installed on devices.
Pinduoduo is no small fish: it’s the second largest e-commerce company in China (sort of AliExpress) and has 751.3 million monthly active users (!). Apps under the brand have been embarrassed by the presence of a so-called zero-day vulnerability in the app. As a result, personal data was stolen from millions of app users, in addition to the fact that a malicious app was also installed. This was reported by researchers from the security organization Lookout (via Techcrunch).
Malicious versions of the Pinduoduo app could not be found on the Google Play Store, but were available through third parties. However, the rogue version now making the rounds is affecting the app in the Play Store: it has been removed to ensure there is no doubt whether someone installed the correct or incorrect app. So the apps with the problem were never available through the Play Store, only through third parties.
Weaknesses in the application
The vulnerability in the application is called CVE-2023-20963 and although the patch was released two weeks ago, for many this was not in time. It worked like this: By downloading the app from a third party, you gave permission to do all sorts of things on your phone. This permission was used to download code from a website created by the hacker and install it on the device.
At least: Pinduoduo disagrees: its app versions weren’t malicious, stating: “We reject speculation and accusations that the Pinduoduo app is malicious. Google Play informed us on the morning of March 21st that the Pinduoduo app, along with several others, has It has been temporarily suspended because the current version does not comply with Google’s policies, but has not shared more details. We will contact Google for more information.”
Check your phone
Meanwhile, speculation is rife on Github and elsewhere on the Internet. For example, there is someone called davinci1012 and op github He put a “pinduoduo backdoor” and there are more strange occurrences that indicate that it is really a targeted attack. To be sure, check if you have this app on your smartphone and remove it as soon as possible: even if it’s the “real” app. If Google doesn’t want it in the App Store right now, you probably don’t want it on your phone either, it’s that close to a lot of personal data.
“Subtly charming tv fanatic. Introvert. Thinker. Alcohol maven. Friendly explorer. Certified coffee lover. Infuriatingly humble food junkie. Typical reader.”