Pinduoduo, one of China’s most popular shopping apps, has been accused of violating user privacy and data security. According to cybersecurity researchers, the app can bypass user cell phone security, allowing it to monitor activities on other apps, check notifications, read private messages, and change settings. The app has over 750 million users each month, and it is difficult to remove once installed. After receiving a tipoff, CNN contacted multiple cybersecurity teams from Europe, Asia, and the United States, and several former and current Pinduoduo employees were interviewed.
American lawmakers are calling for a national ban on TikTok, another Chinese-developed app, due to concerns about data security. Experts identified malware on the Pinduoduo app that exploits Android operating systems’ vulnerabilities, which company insiders say were used to spy on users and competitors, allegedly to boost sales. Pinduoduo’s actions could also affect its sister app, Temu, rapidly expanding in Western markets.
Pinduoduo set up a team of engineers and product managers
Pinduoduo was founded in 2015 in Shanghai by Colin Huang, a former Google employee. It was established in a market dominated by e-commerce giants Alibaba and JD.com by offering steep discounts on friends-and-family group buying orders and focusing on lower-income rural areas. Pinduoduo’s monthly users overgrew until 2018, the year it listed in New York. Monthly users have since declined, according to earnings reports.
A current Pinduoduo employee stated that the company set up a team of engineers and product managers in 2020 to dig for vulnerabilities in Android phones, develop ways to exploit them, and turn a profit. The company initially targeted users in rural areas and smaller towns while avoiding users in megacities like Beijing and Shanghai. By collecting user data, Pinduoduo was able to create a comprehensive portrait of users’ habits, interests, and preferences, improving its machine-learning model to offer more personalized push notifications and ads.
The app was earlier suspended by Google
Researchers from several cybersecurity firms conducted an independent analysis of the app, which was released in late February. They found code designed to achieve “privilege escalation” – a type of cyberattack that exploits a vulnerable operating system to gain more access to data than it’s supposed to have.
Pinduoduo has denied accusations of malicious intent, but cybersecurity experts say the company’s actions are highly unusual and potentially damning.
Google suspended the app’s presence on Google Play in March due to identified malware, and a Russian cybersecurity firm also found potential malware. Although there is no evidence that Pinduoduo has handed data to the Chinese government, there are concerns that any company operating in China could be forced to cooperate with a broad range of security activities due to Beijing’s significant leverage over businesses under its jurisdiction.