Pinduoduo: When Business Success Comes with Hacking
“The white hat hackers should be guarding security, but they were abused as black hat hackers against users,” said one critic.
Note added on August 21, 2024: This is a post the Natto Team published on May 26, 2023. It looks into China’s e-commerce company Pinduoduo (PDD) and its alleged hacking team after the Google Play store suspended PDD because of finding malware in some versions of the app. Our research indicates that PDD’s operating model - a social commerce model of “social network promotion for all people” has made it easy to hack users. The model analyzes users’ habits, interests and preferences to offer personalized push notifications and ads that attract users to use the app more often and place more orders. A white/black hat hacking team could combine these standard e-commerce functions – which are not necessarily illegal – with exploitation of mobile phone vulnerabilities to enable unauthorized access to user data and information. PDD figured out this shortcut early on in its explosive growth. Fortunately for users, the country’s top mobile vulnerability mining expert had the moral decency to refuse to help PDD exploit users, but it didn’t stop PDD from forming a hacking team to further its “wild, savage” growth. A year after we published this post, in May 2024, PDD took Alibaba's spot as China's most valuable e-commerce company. How helpful has its hacking team been in this explosive growth? It is hard to measure, but we know it is critical. Pinduoduo and Its Alleged Hacking Team
On March 21, 2023, citing “security concerns,” Google’s Play store suspended sales of Pinduoduo (拼多多) (PDD) , one of China’s largest shopping applications (apps), with close to 900 million users. Google identified Pinduoduo as a malicious app in an excess of caution after finding malware in some versions of the app that were not available on Play store. Following the suspension, CNN interviewed cybersecurity researchers who had identified malware on versions of the Pinduoduo app, distributed through local app stores in China, that exploited vulnerabilities in Android mobile phone operating systems. The Pinduoduo app could bypass users’ cell phone security to monitor activities on other apps, check notifications, read private messages, and change settings. Once installed, it was difficult to delete.
At the meantime, Bloomberg News reported that Kaspersky Lab, a Moscow-based cybersecurity company, had tested versions of the Pinduoduo app distributed in China and identified malicious code that exploited system software to install backdoors and elevate its own privileges to enable unauthorized access to user data and information. WithSecure, Finland based security firm, also reverse engineered the app versions sold in China and found malicious code . On April 16, 2023, the US Cybersecurity and Infrastructure Security Agency ordered government agencies to patch the Android vulnerability (CVE-2023-20963) that Pinduoduo had exploited.
In fact, before Google’s action and Western media reports, on February 28, 2023, Shanghai-based Chinese security firm DarkNavy (深蓝洞察) had exposed how a major Chinese e-commerce company’s app exploited several Android serialization-related vulnerabilities to “achieve a 0-day/N-day attack to bypass system checksum and obtain system-level StartAnyWhere capability.” The report didn’t name Pinduoduo, but savvy Chinese security researchers published the redacted code and analysis in Github, pointing directly at the Pinduoduo app. The DarkNavy’s Chinese-language report called the act of “this e-commerce giant” as “the most ‘unforgivable’ vulnerability exploitation.” “The company broke the bottom line by utilizing white hat hackers as a weapon to point at users…The white hat hackers should be guarding security, but they were abused as black hat hackers against users.”
Reading between the lines, the report from DarkNavy suggested Pinduoduo had a team of hackers, who served as either white-hats or black-hats, depending on the circumstances and business needs hired to apply their techniques and skills to exploit users for profit.
CNN’s investigation report confirmed the existence of a hacking team within the Pinduoduo company. An anonymous current Pinduoduo employee told CNN that in 2020, the company set up a team of about 100 engineers and product managers to look for vulnerabilities in Android phones to exploit them. These exploits allowed Pinduoduo to access user information so that the company could master user behaviors and preferences in order to channel users’ activities on the app. The more users shop or sell on the platform, the more profit could be made by Pinduoduo, according to the employee’s characterization of the company’s motive. The hacking team was disbanded in early March this year, according to the anonymous employee “after questions about their activities came to light.” This likely referred to the exposure of the hacking activities from the DarkNavy report. Only had 20 core members of the hacking team remained, the employee told CNN. According to the employee, Pinduoduo decided to transfer many of the team members to its subsidiary Temu, which launched a US app in September 2022. There, the employees were assigned to teams such as marketing or push notifications, seemingly unrelated to hacking, according to CNN’s source.
Pinduoduo’s Head of Security Refused Targeting Users
Natto Team’s further research shows that, at the end of 2020, the very same year that Pinduoduo established its hacking team, the company’s head of security was forced to resign, according to widespread Chinese media reporting at the time. Pinduoduo dismissed He Qidan (何淇丹), the famous genius hacker known as Flanker or Edward Flanker, only days before he could receive his employee stock option. Several Chinese security industry insiders suggested Flanker had been dismissed because he refused to conduct “hacking attacks”(黑客攻击) for the company. Yun Shu (a.k.a Wei Xingguo), the founder of MoreSec Technology and former director of the security research lab at the Chinese tech giant Ali Group, posted on his account at Weibo, the Chinese equivalent to Twitter, providing insider information that suggests this was the reason for Flanker’s dismissal. The founder of Keen Security Lab at another Chinese tech giant Tencent, Wang Qi, also posted on Weibo, confirming that in 2020 Pinduoduo had tasked Flanker with hacking projects which could “violate the law.” After he refused, Pinduoduo had harassed and eventually sacked Flanker. Many industry colleagues respected Flanker’s courage in sticking to ethical principles and condemned Pinduoduo’s operation, saying, “no technology can be used for evil,” and “(we) support Flanker.”
Indeed, Flanker is one of the top Chinese hackers. He is an expert on mobile security, particularly in Android and iOS, as well as on the security of OS X Apple Mac laptop operating systems. Flanker presented at BlackHat 2016, Defcon 2016 and other security conferences. According to his conference biography, Flanker found multiple vulnerabilities in Mac OS X kernel, was a winner of the Pwn2Own exploit competition in both mobile and PC categories and is a member of the Google/Samsung Security Global Hall of Fame.
After leaving Pinduoduo, Flanker currently heads the XieZhi Security Lab (獬豸安全实验室). He gave presentations at two security conferences in China in 2022 on the search for vulnerabilities in Android systems. In December 2022, Flanker gave a presentation entitled “Practice of large-scale automated Android system vulnerability mining system based on static program analysis” at the MOSEC 2022 Mobile Security Technology Summit in Shanghai. In July, Flanker was at the 5th XiaoMi IoT Security Summit giving a similar presentation related to vulnerability mining in Android systems.
It appears that, even after clearing this conscience-stricken Flanker out of the way, Pinduoduo’s hacking team flourished anyway without the genius hacker. This hacking team likely contributed to the great success of the company’s growth. By the end of 2020, the number of Pinduoduo’s annual active users had surpassed that of Alibaba, reaching 788 million. Two years later, Pinduoduo’s Q4 2022 revenues had grown 46% year-over-year, a growth rate that far outpaced those of competitors JD.com and Alibaba.
Pinduoduo’s Operation Model Has Made Hacking Users Convenient
Many industry experts used the words “wild” or “savage” to describe Pinduoduo’s explosive growth. Colin Zheng Huang, an ex-Google engineer, founded the company in April 2015. After three years, in July 2018, Pinduoduo went public and listed on the US NASDAQ stock exchange, in one of the biggest IPOs of the year. The company describes its e-commerce platform as a “virtual bazaar” of “Costco meets Disney” which represents “value-for-money and entertainment.” At this virtual bazaar, using the so-called “Pin” - team purchase function, users can enjoy lower prices by inviting their contacts through social networks to form purchase teams. Users also share new findings among their social networks while receiving new information from others so that they can facilitate more team purchasing. “Pin” lets users “share, explore, and purchase together” for “more savings” and “more fun.”
Pinduoduo’s model of “social network promotion for all people” (全民社交推广) uses not just team purchasing for price bargaining, but also “red packet” rewards – referring to the money in a red envelope that Chinese people traditionally give each other on holidays – and lottery promotions to convince users to promote Pinduoduo to their acquaintances and friends. One focus of Pinduoduo platform is agricultural products; the app facilitates direct sales between small-scale farmers and consumers. Chinese e-commerce market watchers called Pinduoduo’s agricultural approach as the strategy of “encircling the cities from the rural areas” which was a political strategy utilized by Chairman Mao Zedong, founder of the People’s Republic of China, when he seized power in 1949. Possibly due to this agricultural focus, more than 65% of Pinduoduo’s user base is from third-tier cities or rural and smaller towns, and about 80% of the users are housewives and middle-aged people or seniors who are less tech-savvy, may not pay attention to brands, and love to take advantage of everyday goods such as fresh produce at bargain prices.
Pinduoduo’s social commerce model analyzes users’ habits, interests and preferences to offer personalized push notifications and ads, that attract users to use the app more often and place more orders. A white/black hat hacking team could combine these standard e-commerce functions – which are not necessarily illegal – with exploitation of mobile phone vulnerabilities to enable unauthorized access to user data and information. Pinduoduo figured out this shortcut early on in its explosive growth. Fortunately for users, the country’s top mobile vulnerability mining expert with moral decency refused to wallow in the mire with Pinduoduo to exploit users, but it didn’t stop Pinduoduo from forming a hacking team to further its “wild, savage” growth.
What’s Next? Temu?
Non-Chinese users may feel relieved that the malicious code has so far only been found on versions of Pinduoduo apps aimed at users in China. However, the fact that Google Play Store has banned the Pinduoduo app version available outside China, in which the malware is not yet reported to have been found, suggests that Google might fear that users of the non-malicious Pinduoduo version could receive malicious updates in the future; the ability to deliver malicious updates without app store review was a feature of the malicious Chinese version, according to researchers from Tel Aviv-based Check Point Research. Additionally, the fact that many Pinduoduo hacking team members reportedly moved over to their overseas subsidiary Temu should raise security concerns. The Temu app for international users, which advertises highly discounted items, reached #1 free app on Google Play in late 2022 and received a Google Play Editor’s Choice award . It also has a version for Apple’s iOS mobile operating system and was the #1 app on the iOS app store in early 2023. After Google banned Pinduoduo in March 2023, Temu’s website deleted mention of its parent company, as if to hide its relationship with Pinduoduo. US legislators and cybersecurity analysts have pointed out the potential risks of Chinese-made apps like Temu and provided tips for global users concerned about potential surveillance from these apps.
And so, to conclude, the Natto Team recommends readers do some research before downloading an app or making an online purchase from a company that you are not familiar with as the Washington Post’s Tech Help Desk suggested. Taking control of how technology works for you is not easy, but you should never give up trying.