Tech News

Google flags apps made by popular Chinese e-commerce giant as malware

On Monday, Google announced that it had flagged several apps made by a Chinese e-commerce giant as malware, alerting users who had them installed, and suspended the company’s official app.

In the last couple of weeks, multiple Chinese security researchers accused Pinduoduo, a rising e-commerce giant that boasts almost 800 million active users, of making apps for Android that contain malware designed to monitor users.

Ed Fernandez, a Google spokesperson, said that “off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” referring to apps that are not on Google Play.

Effectively, Google has set Google Play Protect, its Android security mechanism, to block users from installing these malicious apps, and warn those who have them already installed, prompting them to uninstall the apps.

Fernandez added that Google has suspended Pinduoduo’s official app on the Play Store “for security concerns while we continue our investigation.”

A security researcher, who asked to be anonymous, alerted TechCrunch of the claims against the apps and said they analyzed the apps as well, finding that the apps were exploiting several zero-days to hack their users.

Pinduoduo did not respond to a request for comment.

In a test, TechCrunch installed one of the suspected malicious apps, which popped up a message by Google alerting that the app is malicious.

It’s important to note that Google Play is not available in China, and according to the anonymous security researchers, the malicious apps were present on the custom app stores of the phone manufacturers Samsung, Huawei, Oppo and Xiaomi.

None of these companies responded to a request for comment.

Do you have more information about crypto hacks or crypto mixing services? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email You can also contact TechCrunch via SecureDrop.

Articles You May Like

Prepare for the Azure Security Engineer Associate certification
A popular Android app began secretly spying on its users months after it was listed on Google Play
Potential Backdoor in Gigabyte PCs Exposes Supply Chain Risks
A brief history of VR and AR
Serious Security: That KeePass “master password crack”, and what we can learn from it

Leave a Reply

Your email address will not be published. Required fields are marked *