Unofficial Android App Exploited Millions of Devices, Say Researchers

Versions of the Chinese e-commerce app Pinduoduo that were digitally signed by its original developer but only available on third-party app markets exploited several zero-day vulnerabilities to install malicious apps on Android devices and steal user data — reports Ars Technica.

A zero-day vulnerability is a security flaw that’s discovered or exploited before it can be patched. According to researchers at security firm Lookout, malicious versions of the Pinduoduo app exploited CVE-2023-20963, a privilege-escalation flaw in Android that Google started rolling out a fix for a couple of weeks ago, among others zero-days.

Leveraging CVE-2023-20963, the malicious apps were able to download code from a developer-designated website without the user’s consent or knowledge and run it with elevated permissions. Lookout, which has so far only been able to perform a preliminary analysis of the breach, found that at least two versions of Pinduoduo available on third-party platforms exploited this vulnerability.

The Pinduoduo app available on Google Play and Apple’s App Store is clean and free of any malware, although Google still booted the app from its market last week. Malicious versions of the app are only being distributed through third-party app markets, which are exclusively what Android users in China have to use since Google Play isn’t available in the country.

The malicious apps represent “a very sophisticated attack for an app-based malware,” said Christoph Hebeisen, one of three Lookout researchers who looked into the matter. “In recent years, exploits have not usually been seen in the context of mass-distributed apps. Given the extremely intrusive nature of such sophisticated app-based malware, this is an important threat mobile users need to protect against.”

Pinduoduo’s suspicious activity was originally discovered by a research service going by the name “Dark Navy,” which posted about it last month.

According to the group’s post, the malicious Pinduoduo apps include functionality allowing for them to be installed covertly with no option for the user to uninstall them, falsely inflating Pinduoduo’s usage numbers. Pinduoduo was recently reported to have 751.3 million average monthly active users.

Furthermore, the group noted that the malicious apps could uninstall competitor apps, steal user data, and evade various privacy compliance regulations. These apps could also:

• Add widgets to infected devices
• Track usage stats of installed apps
• Parse notifications
• Access Wi-Fi and Location information

That might not be all, either, according to Lookout. “We’re far from having a full and thorough picture of what they all do (in total, there are over 30 DEX files) but preliminary analysis essentially seems to support the claims,” said Hebeisen

“There is also some code that looks like it would be consistent with preventing apps from being uninstalled. So from what we can see, the claims seem to reflect what’s in the files.”

The malicious exploits pose no harm to any Pinduoduo users who downloaded the app from the Play Store or App Store. Unfortunately, the likely millions of users who obtained the app from a third-party market — so essentially all Chinese users — aren’t as lucky. At the time of writing, Pinduoduo is still unavailable on Google Play.

According to a recent report, Google platforms (including Android) were targeted by a total of 10 zero-day exploits during 2022. That number was significantly higher in 2021, though.