April 11, 2023
Entry Type
Security Guidance
Platform(s) Affected
iOS
Platform(s) Affected
Android
.png)
Threat Type
Malware
Platform(s) Affected
Security Guidance
iOS
Android
Malware
Lookout Coverage and Recommendation for Admins
Lookout already has a coverage in place for this app. Any new or existing download of a malicious version of the app will be reported. Additionally, please set the Out of date ASPL policy to have a minimum of March 2023. They can then choose whether to alert the user that the device is out of compliance or block access to enterprise resources until ASPL is updated. We strongly suggest users to keep their devices on auto update for security fixes as and when they become available. Furthermore, we advise the admins to denylist the application for both Android and iOS if they find the app in their fleet.
Overview
Pinduoduo, a large Chinese online retailer, recently had their app removed from both the Google Play Store and iOS App Store because of malicious activity in their app. Researchers have reported that certain versions of this app contain code that can exploit the operating system of devices running the app and could prevent the user from removing the app from the device, installing additional malware in the background, removing other legitimate applications, and spying on the user.
Lookout Analysis
Lookout Researchers have confirmed that the alleged malicious functionality exists in versions that exist outside of Google Play as well. We have no indication at this time that Pinduoduo’s iOS app is affected. Our detailed analysis of the exploits used reveals that one of them relied on CVE-2023-20963, a vulnerability affecting essentially all current Android devices and fixed only in the March 2023 ASPL.
Malicious versions of Pinduoduo were signed with the same signing key as the Pinduoduo app that was distributed via Google Play until it was removed from the store. This proves that the creators of the malicious app have access to the same signing keys as the creators of the legitimate app that was available from Play. Given that a malicious actor had the ability to produce legitimately-signed apps we advise our customers to denylist the Pinduoduo app (com.xunmeng.pinduoduo) for their users, if they find it in their fleet.
Lookout Coverage and Recommendation for Admins
Lookout already has a coverage in place for this app. Any new or existing download of a malicious version of the app will be reported. Additionally, please set the Out of date ASPL policy to have a minimum of March 2023. They can then choose whether to alert the user that the device is out of compliance or block access to enterprise resources until ASPL is updated. We strongly suggest users to keep their devices on auto update for security fixes as and when they become available. Furthermore, we advise the admins to denylist the application for both Android and iOS if they find the app in their fleet.
Subscribe to get the latest threat reports and insights
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Other Related Threats
September 15, 2023
Scattered Spider
Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign
September 19, 2023
CVE-2023-4863
September 18, 2023