Google has suspended PDD Holdings Inc.’s main Chinese shopping app Pinduoduo after discovering malware in unsanctioned versions of the software, dealing a blow to one of the country’s biggest online retailers.
The Mountain View, California-based company said on Tuesday it is investigating the matter and suspended downloads of the Play Store version of Pinduoduo as a security precaution. Google didn’t mention Temu, PDD’s popular shopping app for the US, which remains available to download.
The action may cast a cloud over the company at a time when American lawmakers have accused Chinese-owned apps such as TikTok of potentially threatening national security. While Pinduoduo is largely used in China, it’s rare for Google to freeze downloads of a major app of its size and scale.
Google warned users Tuesday to uninstall off-store versions of Pinduoduo. It’s unclear whether other local app stores run by Huawei Technologies Co., Xiaomi Corp. and Tencent Holdings Ltd. are looking into the allegations. PDD’s main shopping app serves more than 700 million mainly Chinese people monthly and is more commonly downloaded via domestic platforms as Google’s isn’t available in the country. A PDD representative didn’t respond to a request for comment. Spokespeople for Tencent, Huawei and Xiaomi also didn’t immediately respond to queries.
“Google Play Protect enforcement has been set to block installation attempts of these identified malicious apps,” a Google spokesperson said. “Users that have malicious versions of the app downloaded to their devices are warned and prompted to uninstall the app.”
Code from previous versions of the app on GitHub show malware present, said Shawn Chang, founder and chief executive officer of Hong Kong-based security firm HardenedVault, who’s aware of the industry talk but hasn’t examined the software in detail or spoken with PDD. Bloomberg News hasn’t verified the authenticity of the code on GitHub or posts written on the coding service.
“According to that publicly available information, PDD has used nday/0day exploits, targeting Android parcel serialization/deserialization to gain system privileges,” he said.
(Bloomberg)
The Pinduoduo app showing as unavailable on the Google Play Store on March 21. (Bloomberg)
