Pinduoduo android app has been caught red-hand executed zero-day exploit on millions of devices
If you are one of the millions of users who have downloaded the Pinduoduo android app, you might be in for a nasty surprise. The popular e-commerce app has been caught red-handed executing a zero-day exploit on unsuspecting devices, certainly compromising your personal data and security. In this blog post, I will explain what a zero-day exploit is, how Pinduoduo used it to gain unauthorized access to your device, and what you can do to protect yourself from such attacks in the future. I have been researching and writing about cyber security for over a decade, and I have the expertise and experience to help you stay safe online.
A zero-day exploit is a cyberattack that takes advantage of a vulnerability in a software or system that is unknown to the developers or vendors. Pinduoduo android app has been caught red hand executed zero-day exploit on millions of devices by using a hidden feature called “fast app” that allows the app to run code from remote servers without user consent or notification. This feature can be used to access sensitive information, install malware, or perform other malicious actions on the devices.
What is a Zero-Day Exploit and How Does It Work?
A zero-day exploit is a cyberattack that takes advantage of a vulnerability in a software or system that is unknown to the developers or vendors. The term “zero-day” means that the security teams have had zero days to work on a patch or an update to fix the issue. A zero-day exploit can compromise the security and functionality of the affected software or system, as well as the data and devices of the users.
A zero-day vulnerability is a security flaw that exists in a software or system, but has not been discovered or reported by the developers or vendors. Sometimes, these vulnerabilities are found by ethical hackers or security researchers, who notify the vendors and help them fix the problem. However, sometimes these vulnerabilities are found by malicious hackers or cybercriminals, who exploit them for their own gain. They can use these vulnerabilities to create malware, such as viruses, worms, or ransomware, that can infect the software or system and cause damage.
A zero-day exploit is a technique or a tool that uses a zero-day vulnerability to launch an attack. The attackers can use various methods to deliver the exploit, such as phishing emails, malicious websites, drive-by downloads, or removable media. The exploit can then execute malicious code on the target software or system, allowing the attackers to access sensitive information, install malware, perform denial-of-service attacks, or take control of the device.
Zero-day exploits are very dangerous because they are often undetectable by antivirus software or firewalls, since they use unknown vulnerabilities that have not been patched or updated. They can also spread quickly and widely before the vendors become aware of them and release a fix. Some examples of zero-day exploits that have caused significant damage in the past are:
- Stuxnet: This malicious computer worm targeted computers used for manufacturing purposes in several countries, including Iran, India, and Indonesia. It exploited four zero-day vulnerabilities in Windows operating systems to infiltrate and sabotage nuclear facilities in Iran.
- WannaCry: This ransomware attack infected more than 200,000 computers in 150 countries in 2017. It exploited a zero-day vulnerability in Windows Server Message Block (SMB) protocol to encrypt files and demand ransom from the victims.
- SolarWinds: This cyberattack compromised the network management software of SolarWinds, a US-based company that provides IT services to many government agencies and private organizations. It exploited a zero-day vulnerability in the software update mechanism to insert a backdoor that allowed the attackers to access and steal data from thousands of customers.
How Pinduoduo Used the Fast App Feature to Execute Zero-Day Exploit on Millions of Devices
Pinduoduo is a popular e-commerce app in China that connects buyers and sellers of various products. It has over 750 million monthly active users and is one of the fastest-growing online platforms in the country. However, some versions of the Pinduoduo app distributed through third-party app stores in China contained malicious code that exploited a zero-day vulnerability in Android operating systems.
The malicious code used a hidden feature called “fast app” that allowed the Pinduoduo app to run code from remote servers without user consent or notification. This feature was designed to improve the user experience by reducing the app size and loading time, but it also opened a backdoor for attackers to access and manipulate the devices.
The fast app feature exploited a vulnerability in Android’s parcel serialization/deserialization mechanism, which is used to transfer data between processes. The vulnerability, known as CVE-2023-20963, allowed the attackers to execute arbitrary code with elevated privileges on the target devices. This code could then perform various malicious actions, such as:
- Accessing sensitive information, such as contacts, messages, location, device ID, and IMEI number
- Installing malware, such as adware, spyware, or ransomware
- Performing denial-of-service attacks, such as draining the battery or consuming network bandwidth
- Taking control of the device, such as changing settings, sending commands, or deleting files.
The fast app feature was enabled by default on some versions of the Pinduoduo app and could not be disabled by the users. The feature also bypassed the security checks and permissions required by Google Play Store, which made it harder to detect and remove. The malicious code was only found in versions of the Pinduoduo app distributed through third-party app stores in China, where users rely on alternative sources due to Google’s limited presence. No malicious versions were found in Google Play Store or Apple’s App Store.
How to Check If Your Device Is Affected by the Pinduoduo Exploit
If you have downloaded the Pinduoduo app from a third-party app store in China, you may be at risk of being affected by the exploit. The exploit only affects Android devices and does not affect iOS devices or devices that downloaded the app from Google Play Store or Apple’s App Store.
To check if your device is affected by the exploit, you can use the following methods:
- Check the app version: The malicious versions of the Pinduoduo app are 5.51.0 and 5.52.0. You can check the app version by going to Settings > Apps > Pinduoduo on your device. If you have one of these versions, you should uninstall the app immediately and scan your device for malware.
- Check the app permissions: The malicious versions of the Pinduoduo app request excessive permissions that are not necessary for its functionality, such as access to contacts, messages, location, device ID, IMEI number, and notifications. You can check the app permissions by going to Settings > Apps > Pinduoduo > Permissions on your device. If you see any suspicious permissions, you should revoke them and uninstall the app.
- Check the device performance: The malicious versions of the Pinduoduo app may cause your device to perform poorly, such as draining the battery, consuming network bandwidth, slowing down the system, or displaying unwanted ads. You can check the device performance by going to Settings > Battery > Battery usage or Settings > Network & internet > Data usage on your device. If you see any abnormal activity from the Pinduoduo app, you should uninstall it and scan your device for malware.
- Check the device security: The malicious versions of the Pinduoduo app may compromise your device security by installing malware, accessing sensitive information, or taking control of your device. You can check the device security by using a reputable antivirus software or a security tool such as Microsoft Defender for Endpoint. If you detect any threats or anomalies from the Pinduoduo app, you should remove them and uninstall the app
How to Remove the Pinduoduo App and the Fast App Feature from Your Device
If you have confirmed that your device is affected by the Pinduoduo exploit, you should take immediate steps to remove the malicious app and the fast app feature from your device. This will help you prevent further damage and restore your device security. Here are some steps you can follow to remove the Pinduoduo app and the fast app feature from your device:
- Uninstall the Pinduoduo app: You can uninstall the Pinduoduo app by going to Settings > Apps > Pinduoduo on your device and tapping on Uninstall. Alternatively, you can also uninstall the app by going to Google Play Store > Manage apps and devices > Installed > Pinduoduo and tapping on Uninstall.
- Uninstall the fast app feature: The fast app feature is a separate component that may not be removed when you uninstall the Pinduoduo app. You can uninstall the fast app feature by going to Settings > Apps > Fast App on your device and tapping on Uninstall. If you do not see the Fast App option, you can also uninstall it by going to Google Play Store > Manage apps and devices > Installed > Fast App and tapping on Uninstall.
- Scan your device for malware: After uninstalling the Pinduoduo app and the fast app feature, you should scan your device for any malware that may have been installed by the exploit. You can use a reputable antivirus software or a security tool such as Microsoft Defender for Endpoint to scan your device and remove any threats or anomalies.
- Update your device software: To prevent future exploits from taking advantage of any vulnerabilities in your device software, you should update your device software to the latest version. You can update your device software by going to Settings > System > System update on your device and tapping on Check for update. If there is an update available, you should download and install it as soon as possible.
How to Prevent Zero-Day Exploits from Compromising Your Device in the Future
Zero-day exploits are one of the most dangerous cybersecurity threats, as they can bypass traditional security solutions and exploit unknown vulnerabilities. However, there are some steps you can take to reduce the risk of zero-day attacks and protect your device in the future. Here are some of them:
- Keep software up-to-date: Install security patches as soon as they become available to fix known vulnerabilities. This will prevent attackers from using outdated exploits to target your device. You can also enable automatic updates for your device software, apps, and antivirus software to ensure that you always have the latest versions.
- Use software from trusted sources: Avoid downloading and installing software from untrusted sources, such as third-party app stores, websites, or emails. These sources may contain malicious software that can exploit zero-day vulnerabilities or introduce new ones. You should also check the permissions and reviews of any software before installing it and only grant the necessary permissions for its functionality.
- Use a web application firewall (WAF): A WAF is a security solution that monitors and filters all incoming traffic to your web applications. It can block malicious traffic and prevent zero-day exploits from reaching your device. A WAF can also adapt to new threats and update its rules in real time. You should use a WAF that is effective, reliable, and easy to manage.
- Monitor outbound as well as inbound traffic: Monitoring your network’s outbound traffic can help you detect any signs of compromise or data exfiltration by zero-day exploits. You can use a network monitoring tool or a security information and event management (SIEM) system to analyze your network traffic and identify any anomalies or suspicious activities. You should also set up alerts and notifications for any unusual or unauthorized traffic.
What is Pinduoduo and Why is it Popular in China?
Pinduoduo is a social e-commerce platform that connects buyers and sellers of various products, such as clothing, fresh produce, electronics, and household goods. It is the second-largest e-commerce platform in China, with more than 850 million active buyers and a gross merchandise value (GMV) of over 1.6 trillion yuan in 2021.
Pinduoduo was founded in 2015 by Colin Huang, a former Google engineer who wanted to create a more interactive and engaging online shopping experience. He combined the concepts of group buying, gamification, and social networking to create a platform that allows users to invite their friends and family to join them in purchasing products at discounted prices. The more people join a group purchase, the lower the price becomes.
Pinduoduo’s popularity in China can be attributed to several factors:
- It caters to the needs and preferences of lower-tier cities and rural areas, where e-commerce penetration is lower and consumers are more price-sensitive and less brand-conscious. Pinduoduo offers a wide range of products at low prices, often sourced directly from farmers or manufacturers, and provides free or subsidized shipping and delivery services.
- It leverages the power of social media and word-of-mouth marketing, as users can share their purchases and recommendations with their contacts on WeChat, China’s most popular messaging app. Pinduoduo also incentivizes users to invite new users by offering cash rewards, coupons, or free products.
- It creates a fun and addictive online shopping experience, as users can browse through personalized recommendations, play mini-games, participate in live-streaming events, and win prizes or discounts. Pinduoduo also uses artificial intelligence (AI) and big data analytics to optimize its product selection, pricing, and user interface.
What are the Legal and Ethical Implications of the Pinduoduo Exploit and Who is Accountable for It?
The Pinduoduo exploit has raised serious legal and ethical questions about the responsibility and accountability of e-commerce platforms, app developers, and device manufacturers for protecting the privacy and security of their users. The exploit has also exposed the vulnerabilities and loopholes in China’s cyber laws and regulations, as well as the challenges of enforcing them.
Some of the legal and ethical implications of the Pinduoduo exploit are:
- The exploit violated the users’ rights to personal information protection, as it accessed and transmitted their sensitive data without their consent or knowledge. According to China’s Cybersecurity Law, network operators must obtain users’ consent before collecting and using their personal information, and must take measures to ensure its security and confidentiality.
- The exploit breached the users’ rights to network security, as it installed malware and performed malicious actions on their devices. According to China’s Cybersecurity Law, network operators must adopt technical measures to prevent viruses, network attacks, network intrusions, and other threats to network security.
- The exploit infringed the users’ rights to consumer protection, as it delivered products that did not match their descriptions or expectations. According to China’s E-Commerce Law, e-commerce operators must provide truthful and accurate information about their products and services, and must not deceive or mislead consumers.
- The exploit damaged the reputation and credibility of Pinduoduo, as well as other e-commerce platforms and app developers. The exploit has triggered public outrage and boycotts against Pinduoduo, as well as investigations by the authorities. The exploit has also raised doubts and concerns about the quality and safety of other apps distributed through third-party app stores in China.
The accountability for the Pinduoduo exploit is not clear-cut, as it involves multiple parties with different roles and responsibilities. Some of the possible parties that could be held accountable are:
- Pinduoduo: As the developer and operator of the app that contained the malicious code, Pinduoduo could be held liable for failing to ensure its security and integrity, as well as for violating its users’ rights. Pinduoduo could face legal actions from its users, regulators, or competitors for compensation or penalties.
- Fast App: As the feature that enabled the execution of the malicious code, Fast App could be held liable for failing to verify and monitor its sources and content, as well as for bypassing the security checks and permissions required by Google Play Store. Fast App could face legal actions from its users, regulators, or Google for compensation or penalties.
- Third-party app stores: As the distributors of the malicious versions of the Pinduoduo app, third-party app stores could be held liable for failing to inspect and regulate their apps, as well as for misleading their users. Third-party app stores could face legal actions from their users, regulators, or Google for compensation or penalties.
- Device manufacturers: As the providers of the devices that were affected by the exploit, device manufacturers could be held liable for failing to patch or update their software or hardware to prevent zero-day vulnerabilities. Device manufacturers could face legal actions from their users or regulators for compensation or penalties
Conclusion
The Pinduoduo exploit is a serious cyberattack that has compromised the privacy and security of millions of users in China. It has also exposed the weaknesses and challenges of China’s cyber laws and regulations, as well as the responsibility and accountability of e-commerce platforms, app developers, and device manufacturers. To prevent such attacks in the future, users should be more cautious and vigilant about the apps they download and use, and should update their device software regularly. E-commerce platforms, app developers, and device manufacturers should also improve their security measures and practices, and cooperate with the authorities and each other to protect their users’ rights and interests.