Threat Guidances
iOS
Android
Malware
April 11, 2023

Pinduoduo App

Lookout Coverage and Recommendation for Admins

Lookout already has a coverage in place for this app. Any new or existing download of a malicious version of the app will be reported. Additionally, please set the Out of date ASPL policy to have a minimum of March 2023. They can then choose whether to alert the user that the device is out of compliance or block access to enterprise resources until ASPL is updated. We strongly suggest users to keep their devices on auto update for security fixes as and when they become available. Furthermore, we advise the admins to denylist the application for both Android and iOS if they find the app in their fleet.

Overview

Pinduoduo, a large Chinese online retailer, recently had their app removed from both the Google Play Store and iOS App Store because of malicious activity in their app. Researchers have reported that certain versions of this app contain code that can exploit the operating system of devices running the app and could prevent the user from removing the app from the device, installing additional malware in the background, removing other legitimate applications, and spying on the user.

Lookout Analysis

Lookout Researchers have confirmed that the alleged malicious functionality exists in versions that exist outside of Google Play as well. We have no indication at this time that Pinduoduo’s iOS app is affected. Our detailed analysis of the exploits used reveals that one of them relied on CVE-2023-20963, a vulnerability affecting essentially all current Android devices and fixed only in the March 2023 ASPL.

Malicious versions of Pinduoduo were signed with the same signing key as the Pinduoduo app that was distributed via Google Play until it was removed from the store. This proves that the creators of the malicious app have access to the same signing keys as the creators of the legitimate app that was available from Play. Given that a malicious actor had the ability to produce legitimately-signed apps we advise our customers to denylist the Pinduoduo app (com.xunmeng.pinduoduo) for their users, if they find it in their fleet.

Authors

Lookout

Endpoint Security
Entry Type
Threat Guidances
Platform(s) Affected
iOS
Platform(s) Affected
Android
Threat Type
Malware
Platform(s) Affected
Threat Guidances
iOS
Android
Malware

Related Content

CVE-2025-31200-31201 Update

CISA recently added guidance to CVE-2025-31200, a memory corruption issue, and CVE-2025-31201, an arbitrary read and write issue.

Read Threat Article

CVE-2025-24201 on iOS

CISA recently provided guidance for CVE-2025-24201, an out-of-bounds write issue in WebKit. There has been evidence of active exploitation of this CVE.

Read Threat Article

Lookout Discovers New Spyware by North Korean APT37

Lookout researchers have discovered a novel Android surveillance tool dubbed KoSpy. It is attributed to APT 37 aka ScarCruft.

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell