Google has flagged several apps made by a Chinese e-commerce giant as malware, alerting users who had them installed, and suspended the company’s official app.
In the last couple of weeks, multiple Chinese security researchers have accused Pinduoduo, a rising e-commerce giant that boasts almost 800 million active users, of making apps for Android that contain malware designed to monitor users.
Ed Fernandez, a Google spokesperson, said that “off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” referring to apps that are not on Google Play.
Effectively, Google has set Google Play Protect, its Android security mechanism, to block users from installing these malicious apps, and warn those who have them already installed, prompting them to uninstall the apps.
Fernandez added that Google has suspended Pinduoduo’s official app on the Play Store “for security concerns while we continue our investigation.”
Requesting anonymity, a security researcher alerted TechCrunch of the claims against the apps, and said their analysis also found that the apps were exploiting several zero-day exploits to hack users.
Pinduoduo’s spokesperson Kong Ho told TechCrunch in an email that “we strongly reject the speculation and accusation by some anonymous researcher and non conclusive response from Google that Pinduoduo app is malicious. There are several apps that have been suspended from Google Play at the same time and we find it peculiar that TechCrunch chose to single out Pinduoduo.”
As a test, TechCrunch installed one of the suspected apps, which prompted an alert that the app could be malicious.
It’s important to note that Google Play is not available in China, and according to the security researcher, the apps were present on the custom app stores of Samsung, Huawei, Oppo and Xiaomi.
None of these companies responded to requests for comment.
The story has been updated to include the comment from Pinduoduo’s spokesperson.
Do you have information about Pinduoduo and its apps? Or other malicious Android apps? We’d love to hear from you. From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Wickr, Telegram and Wire @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.