Pinduoduo, one of China’s most popular shopping apps with over 750 million monthly users, has come under intense scrutiny from cybersecurity experts for allegedly bypassing users’ cell phone security to monitor their activities on other apps, check notifications, read private messages, and change settings.
According to a detailed investigation, Pinduoduo’s app contains sophisticated malware that exploits vulnerabilities in Android operating systems. Multiple cybersecurity teams from Asia, Europe, and the United States, as well as former and current Pinduoduo employees, were interviewed as part of the investigation. The findings raise concerns about data security and privacy violations by Chinese-developed apps, especially in light of the recent controversy over TikTok’s relations with the Chinese government.
Experts say that while many apps collect vast troves of user data without explicit consent, Pinduoduo has taken violations of privacy and data security to the next level. The presence of malware in the Pinduoduo app allegedly enables the company to spy on users and competitors to boost sales. This is highly unusual, according to Mikko Hyppönen, the chief research officer at WithSecure, a Finnish cybersecurity firm. He says that Pinduoduo is trying to escalate its privileges to gain access to things that it’s not supposed to gain access to, which is pretty damning for the company.
Pinduoduo’s parent company, PDD, is listed on the Nasdaq in New York. The app’s rise to success is partly due to its steep discounts on friends-and-family group buying orders and a focus on lower-income rural areas. It posted triple-digit growth in monthly users until the end of 2018, the year it listed in New York. However, by the middle of 2020, the increase in monthly users had slowed to around 50%, according to its earnings reports.
In 2020, according to a current Pinduoduo employee who spoke on condition of anonymity, the company set up a team of around 100 engineers and product managers to dig for vulnerabilities in Android phones, develop ways to exploit them, and turn that into profit. Initially, the company only targeted users in rural areas and smaller towns while avoiding users in megacities such as Beijing and Shanghai to reduce the risk of being exposed. By collecting expansive data on user activities, the company was able to create a comprehensive portrait of users’ habits, interests, and preferences. This allowed it to improve its machine learning model to offer more personalized push notifications and ads, attracting users to open the app and place orders. The team was disbanded in early March after questions about their activities came to light.
Pinduoduo has previously rejected “the speculation and accusation that Pinduoduo app is malicious.” Google suspended Pinduoduo from its Play Store in March, citing malware identified in versions of the app. A Russian cybersecurity firm also identified potential malware in the app, according to Bloomberg.
While there is no evidence that Pinduoduo has handed data to the Chinese government, there are concerns from US lawmakers that any company operating in China could be forced to cooperate with a broad range of security activities. The revelations are also likely to draw more attention to Pinduoduo’s international sister app, Temu, which is topping US download charts and fast expanding in other Western markets. Both apps are owned by PDD, a multinational company with roots in China.
The Pinduoduo controversy underscores the need for stronger data security and privacy laws and regulations around the world. As companies collect ever-increasing amounts of user data, it is imperative that they be held accountable for how they use and protect that data. Governments
