Recently, apps have been found to bypass users' phone security to monitor activity on other apps, view notifications, read private messages, and change settings. And once installed, it's hard to remove.
The survey found that while many apps collect large amounts of user data, experts say Duoduo has taken privacy and data security violations to the next level.
After receiving the user's report, a dedicated team conducted a detailed investigation of six cybersecurity teams from Asia, Europe and the United States, as well as several former and current employees.
The investigation found that a certain Duoduo program used vulnerabilities in the Android operating system to insert malware, and a company insider also admitted that the vulnerabilities were used to spy on users and competitors in order to boost sales.
Malware refers to software developed to steal data or interfere with computer systems and mobile devices.
Google suspended a certain multi-app on its Play Store in March, citing malware found in various versions of the app.
Subsequently, a Russian cybersecurity company also found potential malware in the app.
For Android
Founded in Shanghai in 2015 by former Google employee Huang Zheng, the startup offers deep discounts on group buying and targets low-income groups. At the end of 2018, a certain duoduo was listed in New York.
In 2020, the company set up a team of about 100 engineers and product managers to mine vulnerabilities in Android phones, develop ways to exploit them, and turn them into profits, current employees said.
Sources who requested anonymity for fear of reprisals said the company initially targeted users in rural areas and small towns, avoiding users in big cities such as Beijing and Shanghai, with the goal of "reducing the risk of exposure."
By collecting large amounts of data on user activity, the company is able to fully understand users' habits, interests, and preferences. This allows the program to continuously improve to provide more personalized push notifications and ads that entice users to open the app and place an order. After their activities were exposed, the team disbanded in early March.
The most dangerous malware
The researchers found that there was a code for "privilege escalation" in a certain program, which is a cyberattack that exploits vulnerabilities in the operating system to gain access to data at a higher level.
Miko Haipoenen, chief research officer at Finnish cybersecurity firm With Secure, said, "We haven't seen mainstream apps like this one that elevate access to things they shouldn't." This is very unusual, it is very abhorrent. ”
"Our team has reverse-engineered the code, and we can confirm that it's trying to elevate privileges, trying to get things that normal apps can't do on Android phones," Heiboning said. ”
Heiboenen said the app's ability to continue running in the background and prevent itself from being uninstalled allowed to increase its monthly active user rate.
He added that it also has the ability to spy on competitors by tracking activity on other shopping apps and getting information from them.
The researchers say they also found in some plugins that the program hides potentially malicious components under legitimate file names to mask the intent of potentially malicious components. "This technique is widely used by malware developers who inject malicious code into applications with legitimate functionality."
The malware specifically targets different Android-based operating systems, including those used by Samsung, Huawei, Xiaomi, and Oppo.
They describe Duoduo as "the most dangerous malware." He also found that Duoduo exploited about 50 Android system vulnerabilities.
Duoduo also exploited some AOSP vulnerabilities, including one that Toshin reported to Google in February 2022. Google fixed the bug in March this year. These vulnerabilities allow Duoduo to access a user's location, contacts, calendar, notifications, and albums without the user's consent. Duoduo is also able to change system settings and access users' social network accounts and chat history.
Three of the six teams did not conduct a full inspection. But their initial review revealed that Duoduo was granted access far beyond the normal functionality of the shopping app.