The Google Play Store has rejected one of China’s biggest shopping apps after malware was found in a GitHub repository of previous versions.
Known malware attack chain found embedded in prior versions of Pinduoduo
The Google Play ban will likely have very minimal impact in mainland China; the biggest impact will likely be in Hong Kong, as the bargain shopping app has only a relative handful of users outside of the country.
The malware incident casts an unfavorable light on owner PDD Holdings, however, which has just recently broken into the United States market with similar shopping app Temu. There do not appear to be any issues with Temu at present, but TikTok is going through a similar situation that has led it into a full-blown inquisition under threat of a total ban from the country.
Versions of the shopping app up to the most recent release were found to have malware present, at least in the GitHub repository in which they are stored. The malware is an attack chain that specifically targets Samsung mobile devices, first discovered in early 2021 (and long since patched). Devices that have been updated in the last two years should be safe from exploitation, but it is possible that the malware was inserted some time ago and simply left in even after it lost most of its utility.
At this point it’s not clear who put it there, but some security researchers have come to the conclusion that it was inserted intentionally and that the purpose was to get information useful in poaching customers from competing shopping apps.
Shopping app compromised at unknown point, had unauthorized access until early March
Pinduoduo has already had some customer trust issues prior to the malware discovery, as it has fielded numerous complaints about scammers allowed to operate freely on the platform. The situation is such that the US government added it to its “Notorious Markets” list in 2022.
The malware is essentially designed to provide root access to the device, letting the entity behind it roam freely through user devices and listen in on all sorts of communications. Google says that the most current version of the shopping app that was available (prior to its removal) was not infected, but it remains unclear if the malware made it through to all prior versions found on GitHub.
The shopping app had over 750 million active monthly users as of late 2022, making it one of the biggest overall apps in the country (and pushing lead rival Alibaba’s user base of one billion). The app’s primary appeal has been as a direct manufacturer-to-consumer pipeline that allows for rock-bottom pricing, though as might be expected from the business model it has been subject to a substantial amount of customer service and quality complaints.