A popular Chinese shopping app with hundreds of millions of users poses a major threat, experts are warning.
Google last month suspended a version of the Pinduoduo app from its Play Store, citing security concerns.
Malware issues had been found on versions of the app outside of Google’s app store, a company spokesman said in a statement.
“The Off-Play versions of the e-commerce app that have been found to contain malware have been enforced on via Google Play Protect,” the spokesman said.
The company routinely scams all apps on Android phones for malicious software.
Now an investigation has revealed that the Pinduoduo app can bypass security to monitor activities on phones. It also has the ability to check notifications, read private messages and change settings, according to a report by CNN.
And it can snoop on people as they use other apps.
The Chinese app is also difficult to remove once it has been installed.
And the app asks for much more access than it needs.
Mikko Hyppönen, chief research officer at cyber security company WithSecure told CNN: “We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to.
“This is highly unusual, and it is pretty damning for Pinduoduo.”
Security researchers at Kaspersky Lab told Bloomberg that the Pinduoduo was able to elevate its own privileges to undermine user privacy and data security.
They also discovered evidence that showed some versions of Pinduoduo were able to exploit system software vulnerabilities to install backdoors and gain unauthorised access to user data and notifications.
Igor Golovin, a Kaspersky security researcher, said: “Some versions of the Pinduoduo app contained malicious code, which exploited known Android vulnerabilities to escalate privileges, download and execute additional malicious modules, some of which also gained access to users’ notifications and files.”
Malware can be used to steal data or interfere with devices.
There is no evidence that Pinduoduo has given data to the Chinese government, but Beijing is able to compel businesses under its jurisdiction to disclosure information under national security laws.
Attention is now turning to Pinduoduo’s sister app Temu, which is widely used in the US.
Both apps are owned by multinational company PDD, which is listed on the Nasdaq Composite.
PDD has rejected claims its app contains malicious code.
TikTok CEO Shou Chew recently fronted he House Committee for Energy and Commerce over concerns about the app’s potential for national security threats.
A growing number of government departments in Australia have banned TikTok because of concerns about owner ByteDance’s ties with the Chinese government.
Shadow Home Affairs Minister Karen Andrews recently said the government should act to ban the app on government-issued phones.