As a super e-commerce platform with more than 300 million daily users, Pinduoduo was removed from the Google Play App Store after Google discovered that its application had malware problems in March, and was recently exposed by netizens that its Duoduo grocery store-side APP had illegal monitoring and theft of users' mobile phone privacy information, including hijacking notification bar information, secretly recording, and real-time feedback on users' use of mobile phones.
This revelation content comes from a well-known domestic technical forum, and the whistleblower has given everyone a course on privacy and security through code analysis and other forms.
The breaking news shows that in the Duoduo grocery store-side app, there is a tool called NotificationUtils, which can check whether the current application allows notifications, obtain the notification permission status and record, get the number of notifications in the notification bar and call it internally.
In other words, when the user installs the Duoduo grocery store-side App on the mobile phone, its notification bar is equivalent to opening to Duoduo Grocery Shopping, including the App name of the information pushed to the notification bar, the push time, and the push title, body, user ID and other content.
To put it bluntly, the various information details in your mobile phone notification bar were illegally targeted and used by Duoduo Grocery Shopping. For example, the WeChat contact nickname, avatar, WeChat information content displayed in the user notification bar, Weibo, SMS push content, and even the consumption records pushed by the bank's mobile phone client such as time, bank card tail number, consumption amount, consumption channel, time and train number in the itinerary reminder can be captured by the background of the Duoduo grocery store app.
Thinking about it is terrifying, as long as the users who have installed the Duoduo grocery store APP, the private information is almost exposed. As a victim, if you want to ask for an explanation, the reason it may give is "you default to allowing the system privacy agreement on the store side of Duoduo Grocery store".
From the system privacy agreement on the side of the Duoduo grocery store, it can be seen that "when the user clicks to receive the agreement, the App will obtain the user's device type, device model, MAC address and IMEI, device settings, device storage space, mobile application list and other software and hardware information; At the same time, when the user accesses or uses the Duoduo grocery store-side App, the system will automatically accept and record the information on the user's browser and computer, including but not limited to IP address, browser type, search history, browsing history, browsing habits, etc. ”
This is tantamount to "legal commercial application" of users' private information. And those users who download the store end of Duoduo may not have the ability to see and correctly understand the content of this system protocol, resulting in the malicious use of user privacy information and falling into a vicious circle...
In addition, the breaking news post also mentioned that the Duoduo grocery store app can remotely control the user's mobile phone, which may lead to the user's mobile phone being monitored, installed with malware, virus attacks and other results.
In fact, in addition to the fact that the Duoduo grocery store-side APP was exposed to monitor and obtain and exploit user privacy information through illegal means, the malicious code that appeared in the Pinduoduo APP was previously confirmed by the internationally renowned network security company Kaspersky.
There are also relevant reports on the Internet, such as Kaspersky's response to First Finance and Economics: "I have received comments from security researcher Igor Golovin that some versions of the Pinduoduo APP contain malicious code, use known Android vulnerabilities to escalate privileges, download and execute additional malicious modules, and some of them also gain access to user notifications and files." Our product detects these versions as HEUR: Backdoor.AndroidOS.Pinduo.a. The infected version of the app is distributed through a local app store. ”
On Github, the world's largest private software project hosting platform, someone published a PDF version of Pinduoduo's malicious behavior report. It provides a detailed analysis of how Pinduoduo infringes on user privacy from a technical level, which is equivalent to providing more conclusive evidence.
The report pointed out that Pinduoduo's overall malicious behavior revolves around the three purposes of customer acquisition, promotion of transactions, and high daily activity, and the specific behavior can be divided into five categories: keeping alive, inducing deception, preventing uninstallation, information collection, and attacking infection.
Among them, the purpose of high daily activity is mainly achieved by the following types of behaviors: preservation behavior, inducing deception behavior, anti-unloading behavior, and attack infection behavior. The purpose of customer acquisition is achieved by the following behaviors: remote silent installation behavior and link forgery behavior.
This reminds me that as early as 2021, there was a hot topic on Zhihu's hot search list, which was about Pinduoduo and hacker attacks. The topic was "How to treat the genius hacker Flanker suspected of being forcibly fired by Pinduoduo for refusing to do hacking business, missing out on hundreds of millions of shares?" ”。
Yun Shu, founder and CTO of Moan Technology and former director of Ali Group's security research laboratory, also posted Weibo support for Flanker. In the afternoon of the same day, Flanker sent three Weibo messages involving the crime of "aiding information network criminal activities", which also contributed to the further fermentation of the incident.
"Suspected reason refuses to do hacking business", this not only makes people think...
On the whole, Pinduoduo does use technical means to illegally obtain user privacy for its own commercial interests. In today's emphasis on science and technology for good, Pinduoduo seems to be a bit of a deviation.
Article 4 of the Provisions on the Management of Network Product Security Vulnerabilities implemented in 2021 clearly stipulates: "No organization or individual may use network product security vulnerabilities to engage in activities that endanger network security, and must not illegally collect, sell, or publish information on network product security vulnerabilities; Where it is known that others are using network product security vulnerabilities to engage in activities that endanger network security, they must not be provided with technical support, advertising promotion, payment and settlement, or other assistance. ”
On February 27, the Ministry of Industry and Information Technology issued 26 measures, focusing on APP installation and uninstallation, service experience, personal information protection, appeal response, etc., and proposed targeted improvement measures; At the same time, the responsibilities of APP development operators, distribution platforms, SDKs (software development tools), terminals and access enterprises are carefully divided.
Protecting citizens' information is the bottom line that every enterprise should follow, especially in today's big data-dominated world, how to maintain the legal use of personal information is a dynamic issue. However, enterprises cannot use hackers and other means to illegally obtain citizens' privacy to undermine the business environment of reasonable competition, which is easy to despise.