Pinduoduo has done numerous bad things before to Chinese users, including popping up ad in the background and pretending to be another app (e.g. WeChat Pay or some battery saver). However, Chinese Android app stores (you know, we don't have Google Play here) are somewhat sponsored by Pinduoduo and they did nothing to that malware.
For people outside China Mainland, personally my advice would be to stop using Temu altogether.
It's odd to me that the Cyberspace Administration of China or other "related departments" are really quiet on this. Isn't this is one of the very things that they should be keeping their watchful eyes on?
Add to the funniness, there is a report posted by CNCERT just last month on their website showing their tests on Chinese online shopping apps[1] which includes Pinduoduo. If you see their investigations and numbers, you probably think Pinduoduo is fine (really, take look the report), LOL. (Note: in case you're wondering, corruption on a small routine report like this is very unlikely, but CNCERT probably did not look very deep into the rabbit hole at all)
In the end, you still need independent experts such as like Liu Huafang to alert the country through public exposures, just like, you know, what has happened few years ago.
> If you see their investigations and numbers, you probably think Pinduoduo is fine (really, take look the report)
That's... not the impression I got? Pinduoduo is called out as the app that uses the most Android permissions (all four tested); while many apps are found to access the clipboard, only Pinduoduo and Taobao upload the content, and unlike Taobao, Pinduoduo doesn't just do this during a product search but also when not using the app. It's not as bad as other apps on some aspects (Suning Yigou requesting location 1199 times in the background, really?) but doesn't exactly look fine either.
My guess is that CNCERT collected this information with a test harness that logged access to standard Android APIs and wasn't designed to detect exploits; they'll need to up their game next time.
This StackOverflow question https://stackoverflow.com/questions/59903001/how-to-access-c... suggests that it was possible to read the clipboard in the background in Android versions before Q(10). Although it doesn't explicitly say how, maybe the example code given is how you'd do it.
Chinese IT was a wild west at its very inception. Companies with connections with the police framed competitors as early as the 90s IIRC. Android (de-Googled by law) is fraught with malware-ish apps. Luckily we still have Apple but I'm a bit terrified of the prospect that Apple may one day be forced to leave China leaving me only domestic Android.
Upvoted because I think it's important for the world to know about this. Pinduoduo is using some sneaky tactics to get people to download their app, like offering popular products (e.g. iPhones) at prices that are really competitive (10% lower than other merchants). But the app contains malicious code that prevents users from even uninstalling it.
Pinduoduo, commonly known as PDD in China, has had a poor reputation among Chinese users for a long time. It does not come as a surprise that they resorted to using backdoors to gain a competitive edge.
As a Chinese individual, I own two smartphones - an iPhone, which predominantly features Chinese apps, and an Android phone without any such applications. I primarily use the Android device, but rely on the iPhone for paying bills or getting rides.
For those residing in urban China, it is nearly impossible to avoid owning a smartphone equipped with Chinese apps. This is particularly true during the COVID era, when a green QR pass from these apps is necessary for going anywhere. Mobile technology has become deeply ingrained in Chinese society.
HN Guidelines [1] require using original title, unless the original is misleading etc.
It does not matter what's the problem with this title, even if you make up a perfectly fine (and better in any aspect) title, it's still more appropriate to use the original title.
I believe the rule is specifically made for this case: you have different view on what's clickbait-y, or I didn't drink enough China-bad. That's the best way to prevent exaggerating.
As a Chinese, I'm now staying away from every app by Chinese tech giants (at least on Android). After all, I don't wanna install backdoors and trojans to my daily device. It also reminded me of the Israli spyware[1] used for state-funded attacks, except that PDD is installed voluntarily by victims which is quite a sarcastic fact.
But most people care nothing about privacy here (claiming "i've got nothing to hide!")
Go out of your way to use stock Android on Pixel devices or GrapheneOS instead. At least if somebody decided to burn their exploit you got a chance to profit over it.
iPhone might also work but it's too hard to do forensics.
Same. Had a Pixel 2 and tried to flash lineageOS on there but it didn't work.
Picked up a newer Pixel and it worked then, but found it was hard to live without the goog services. It was either that or trust some rando packages in F-Droid, so went back to the Play store
"Most of the news coverage of Google’s move against Pinduoduo emphasizes that the malware was found in versions of the Pinduoduo app available outside of Google’s app store..."
Given this, it could also be the work of some shady third parties.
Value proposition, we sends ridiculous low price products to you from merchants. We facilitate the transactions. In return, your personal data’s value will be extracted by us. A high level bargain of privacy disguised in tech.
Does anyone believe for a moment this is limited to just the one app? Everyone forgotten how tiktok got caught out hoovering up the clipboard when Apple updated their OS?
Haven't apps always been the way to circumvent privacy features offered by the (mobile) browser?
My take may be historically inaccurate, but I think Apple's app eco system is rooted in the limited capabilities of the iPhone browser, at the time. Apple only reluctantly allowed other companies to target the phone's guts and then much later discovered the app store revenue model they are now addicted to.
With modern browsers and Web apps, "native" apps have since become mostly obsolete. The perspective has shifted in that contemporary Android/iOS apps are no longer a kludge to work around browser capabilities, but instead a market place for selling user privacy to third parties.
Security comes in only when it's absolutely obvious that app developers are way-overstepping the boundaries of what the app is supposed to do. Like back grounding and monitoring the clipboard for no good reason whatsoever.
As an app developer I can tell that's nothing unusual, bc most of the attribution user linking happens (or happened) through clipboard.
When you used google/firebase deeplink[1] functionality it was copying a hash shortly before the deeplink, that was then pasted inside the app and could be used to link both web+app sessions together, which was really helpful.
That's exactly the same model of attracting new users when compared to PDD in China. PDD fraudulently promises to provide users with coupons in return if one tries to attract more users. The required invitation count starts at 5 for example, but as the user invites more victims, the required number of invitees grows indefinitely. By claiming that the user has completed 99.99% of the required invitation, the app can actually attract hundreds of new users before the inviter is finally aware that it's just a scam.
>Most of the news coverage of Google’s move against Pinduoduo emphasizes that the malware was found in versions of the Pinduoduo app available outside of Google’s app store — Google Play.
This app uses huge amount of coupons, discounts to attract users. Unfortunately many Chinese citizen don't care if their privacy is infringed, all they care is that they are able to save maybe 5 yuan. Baidu's CEO even made an open statement that Chinese users are willing to trade privacy for convenience. That is a very sad situation.