卡巴斯基确认拼多多存在恶意代码

s
shuiyaa
楼主 (北美华人网)
www.bloomberg.com/news/articles/2023-03-27/pinduoduo-app-malware-detailed-by-cybersecurity-researchers
几个看点是, 1/ 拼多多睁眼说瞎话,否认指控。 2/ 中国监管好像睡着了 3/ 被攻击的huawei,xiaomi似乎也没什么声音 4/ pdd股东居然没有class action 用temu的要想想自己的姓名电话住址要不要给到这样的公司手上。
m
meetmylove2015
是拼多多还是TEMU?
C
Cinderella_smile
关注
f
fridec2
(Bloomberg) -- Security researchers at Moscow-based Kaspersky Lab have identified and outlined potential malware in versions of PDD Holdings Inc.’s Chinese shopping app Pinduoduo, days after Google suspended it from its Android app store.
In one of the first public accountings of the malicious code, Kaspersky laid out how the app could elevate its own privileges to undermine user privacy and data security. It tested versions of the app distributed through a local app store in China, where Huawei Technologies Co., Tencent Holdings Ltd. and Xiaomi Corp. run some of the biggest app markets.
Kaspersky’s findings, shared with Bloomberg News, were among the clearest explanations from an independent security team for what triggered Google’s action and malware warning last week. The cybersecurity firm, which has played a role in uncovering some of the biggest cyberattacks in history, said it found evidence that earlier versions of Pinduoduo exploited system software vulnerabilities to install backdoors and gain unauthorized access to user data and notifications. 
Those conclusions agreed in large part with those of researchers that had posted their discoveries online in past weeks, though Bloomberg News hasn’t verified the authenticity of the earlier reports.
“Some versions of the Pinduoduo app contained malicious code, which exploited known Android vulnerabilities to escalate privileges, download and execute additional malicious modules, some of which also gained access to users’ notifications and files,” said Igor Golovin, a Kaspersky security researcher.
Google last week took the rare step of halting downloads of the app from one of China’s largest online retailers, urging users to uninstall Pinduoduo if they already have it on their device. That warning, visible to users with Google Mobile Services — which are unavailable in China — calls the app “harmful” and warns it can allow unauthorized access to a user’s data or device. The designation and warning were still in place as of Monday in Hong Kong. PDD, which has rejected claims of its app containing malicious code, didn’t respond to requests for comment on Monday.
The security incident may add fuel to already heated rhetoric in the US about data insecurity with Chinese apps. While Pinduoduo is largely used in China, PDD’s other app Temu — which sells everything from clothes to kitchen supplies — has been the most-downloaded app on Apple Inc.’s US app store for much of the past few months. It has not yet been the focus of lawmaker scrutiny the way that ByteDance Ltd.’s TikTok has.
Kaspersky, which the US last year placed on a list of companies it deemed a threat to national security, said it did not discover the malicious versions of the Pinduoduo app but drew on earlier research by Chinese cybersecurity analysts.
PDD competes for market share in the hotly contested China e-commerce sector led by Alibaba Group Holding Ltd. and JD.com Inc. The upstart competitor, which carved out its own place in the domestic market by addressing underserved consumers, also has lofty ambitions for growth in North America through its Temu app.
©2023 Bloomberg L.P.
是拼多多还是TEMU?
meetmylove2015 发表于 2023-03-27 19:54

any difference?
f
fridec2
是拼多多还是TEMU?
meetmylove2015 发表于 2023-03-27 19:54

从上下文看,说的是 拼多多
While Pinduoduo is largely used in China, PDD’s other app Temu — which sells everything from clothes to kitchen supplies — has been the most-downloaded app on Apple Inc.’s US app store for much of the past few months.
辣手摧花
所以呢? 美国的app就不收集信息了?就不泄露了? 现在但凡是个网站进去都要你点“同意”才让你用 国外的网站可以随便 中国的网站就要“想想”? 你google搜完了的东西 amazon立马给你推送你都不想的吗? 你以为的安全其实只是国王的新衣
j
jeso1

1. 拼多多利用Bundle风水绕过系统校验‎‍,获取StartAnyWhere 能力。 提权后‎‍App收集用户的信息(位置信息、Wi-Fi 信息、安装了哪些社交媒体软件、基站信息)
2。 拼多多 App 另一个黑客技术,改写系统关键配置文件为自身保活‎,卸载了没卸载,欺骗用户,实现防卸载。

一是收集了你geo-location,一是卸载后隐藏下来。 收集geo-location好像google是业内老手,用户信息每分钟在哪个位置google都收集了,所以能精准广告。
o
ostrakon
是android上有,还是苹果上也是?
h
honeybunch
所以呢? 美国的app就不收集信息了?就不泄露了? 现在但凡是个网站进去都要你点“同意”才让你用 国外的网站可以随便 中国的网站就要“想想”? 你google搜完了的东西 amazon立马给你推送你都不想的吗? 你以为的安全其实只是国王的新衣
辣手摧花 发表于 2023-03-27 20:01

你是外行:提权属于网络攻击。你说的这种属于大数据: personnelized recommendation
C
CINA2020
所以呢? 美国的app就不收集信息了?就不泄露了? 现在但凡是个网站进去都要你点“同意”才让你用 国外的网站可以随便 中国的网站就要“想想”? 你google搜完了的东西 amazon立马给你推送你都不想的吗? 你以为的安全其实只是国王的新衣
辣手摧花 发表于 2023-03-27 20:01

手机也一样,只要看过一个东西,就立马广告推送,大妈们不觉得这有啥问题,但是中国的APP就肯定有问题