Major Chinese E-commerce Platform Accused of Installing Sophisticated Malware on User Devices

A prominent Chinese online marketplace serving over 750 million monthly users has been accused of deploying advanced malicious software that can circumvent smartphone security measures to monitor user activities, according to multiple cybersecurity investigations.

The allegations center on Pinduoduo, one of China’s largest e-commerce platforms, which researchers claim has been using sophisticated exploits to access private user data far beyond typical app permissions. The malware allegedly allows the platform to monitor activities on competing applications, read personal messages, access notifications, and modify device settings without user consent.

Unprecedented Security Violations

Cybersecurity experts from multiple continents have identified what they describe as unusually aggressive privacy violations. Mikko Hyppönen, chief research officer at Finnish cybersecurity company WithSecure, characterized the findings as highly unusual for a mainstream application.

The investigation involved six cybersecurity teams from Asia, Europe, and the United States, along with testimony from current and former company employees. Researchers discovered malware that exploited Android operating system vulnerabilities, allegedly used to gather competitive intelligence and boost sales performance.

These revelations emerge during heightened scrutiny of Chinese-developed applications amid national security concerns. The timing coincides with ongoing debates about TikTok’s operations and potential restrictions on Chinese apps in Western markets.

Technical Analysis Reveals Sophisticated Attacks

Security researchers examined version 6.49.0 of the application, released on Chinese app stores in February. Their analysis revealed code designed for “privilege escalation” – a cyberattack technique that exploits operating system vulnerabilities to gain unauthorized access to sensitive data.

The malware specifically targeted various Android-based systems, including devices from Samsung, Huawei, Xiaomi, and Oppo. Sergey Toshin from cybersecurity firm Oversecured described it as the most dangerous malware discovered in mainstream applications, noting its unprecedented scope and sophistication.

According to the technical analysis, the malware exploited approximately 50 Android system vulnerabilities. Most targeted customized manufacturer code that receives less security auditing than core Android systems, making these components more susceptible to exploitation.

Extensive Data Access

The exploits allegedly provided unauthorized access to user locations, contacts, calendars, notifications, and photo albums. The malware could also modify system settings and access social media accounts and private conversations without user knowledge or consent.

Additionally, the application employed techniques to avoid detection, including methods to push updates without standard app store security reviews and hiding malicious components under legitimate file names.

Internal Operations and Corporate Response

According to a current company employee who spoke anonymously, Pinduoduo established a team of approximately 100 engineers and product managers in 2020 specifically to identify Android vulnerabilities and develop exploitation methods. The source indicated that initial targeting focused on rural users and smaller cities to minimize exposure risk.

The team allegedly used collected data to create comprehensive user profiles, enabling more targeted advertising and personalized notifications to increase app engagement and sales.

Following public exposure of these activities, the company reportedly disbanded the exploitation team in early March and removed the malicious code in a subsequent app update. However, security experts note that while the active exploits were removed, the underlying code infrastructure remains and could potentially be reactivated.

Regulatory and Legal Implications

The alleged activities appear to violate China’s Personal Information Protection Law, enacted in 2021, which prohibits illegal collection and processing of personal data and exploitation of internet security vulnerabilities.

Despite regular publication of lists naming applications that violate user privacy, Chinese regulators have not publicly addressed Pinduoduo’s alleged violations. Technology policy experts suggest this represents a significant oversight by the Ministry of Industry and Information Technology, which is responsible for monitoring such activities.

The company has previously denied accusations of malicious behavior following Google’s suspension of the app from its Play Store in March due to malware concerns. Multiple attempts to reach the company for comment regarding these latest allegations have gone unanswered.

Broader Market Impact

These revelations may affect the global expansion of Temu, Pinduoduo’s international sister application that has gained significant popularity in Western markets. Both platforms operate under PDD Holdings, a multinational corporation with Chinese origins listed on the NASDAQ exchange.

The controversy adds to growing concerns about data security practices among Chinese technology companies and may influence ongoing policy discussions regarding Chinese applications in international markets.