Threat Guidances
iOS
Android
Malware
April 11, 2023

Pinduoduo App

Lookout Coverage and Recommendation for Admins

Lookout already has a coverage in place for this app. Any new or existing download of a malicious version of the app will be reported. Additionally, please set the Out of date ASPL policy to have a minimum of March 2023. They can then choose whether to alert the user that the device is out of compliance or block access to enterprise resources until ASPL is updated. We strongly suggest users to keep their devices on auto update for security fixes as and when they become available. Furthermore, we advise the admins to denylist the application for both Android and iOS if they find the app in their fleet.

Overview

Pinduoduo, a large Chinese online retailer, recently had their app removed from both the Google Play Store and iOS App Store because of malicious activity in their app. Researchers have reported that certain versions of this app contain code that can exploit the operating system of devices running the app and could prevent the user from removing the app from the device, installing additional malware in the background, removing other legitimate applications, and spying on the user.

Lookout Analysis

Lookout Researchers have confirmed that the alleged malicious functionality exists in versions that exist outside of Google Play as well. We have no indication at this time that Pinduoduo’s iOS app is affected. Our detailed analysis of the exploits used reveals that one of them relied on CVE-2023-20963, a vulnerability affecting essentially all current Android devices and fixed only in the March 2023 ASPL.

Malicious versions of Pinduoduo were signed with the same signing key as the Pinduoduo app that was distributed via Google Play until it was removed from the store. This proves that the creators of the malicious app have access to the same signing keys as the creators of the legitimate app that was available from Play. Given that a malicious actor had the ability to produce legitimately-signed apps we advise our customers to denylist the Pinduoduo app (com.xunmeng.pinduoduo) for their users, if they find it in their fleet.

Authors

Lookout

Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Entry Type
Threat Guidances
Platform(s) Affected
iOS
Platform(s) Affected
Android
Threat Type
Malware
Platform(s) Affected
Threat Guidances
iOS
Android
Malware

Related Content

BancaMarStealer

A customizable Malware-as-a-Service banking trojan delivered through any app with messaging capabilities.

Read Threat Article

Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy

Researchers at the Lookout Threat Lab have discovered a new Android surveillance tied to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

Read Threat Article

Multiyear Surveillance Campaigns Discovered Targeting Uyghurs

The Lookout Threat Intelligence team has discovered four Android surveillanceware tools used as part of a much larger mAPT (mobile advanced persistent threat).

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell