Pinduoduo, a Top Chinese Shopping App, Is Laced With Malware
A United States Immigration and Customs Enforcement database WIRED obtained through a Freedom of Information Act request shows that the agency has been leaning on a certain type of administrative subpoena to collect data from elementary schools, abortion clinics, and other vulnerable populations. And new details about a recent supply chain attack against the VoIP software 3CX indicate that attackers—likely hackers working for the North Korean government—were targeting cryptocurrency companies in the broad assault.
We also looked at this week’s move by Italy’s data regulator, Garante per la Protezione dei Dati Personali, to temporarily stop OpenAI from incorporating Italians’ personal information into training data. In response, the company has currently stopped people in Italy from accessing its generative AI platform, ChatGPT. Meanwhile, we explored the dangerous missing security defense in the US agriculture sector and the nation’s food supply chain, and we went deep on the saga of a small US gadget blog that found troubling flaws in foreign security cameras and took on the Chinese surveillance industry to get them fixed.
In virtual private network news, the open source VPN Amnezia has been allowing users in Russia to stay one step ahead of the Kremlin’s inveterate censorship and digital control. And the Tor Project collaborated with the open source VPN maker Mullvad to create a new privacy-focused browser that incorporates the VPN of your choosing.
Plus, there’s more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.
The Chinese ecommerce giant Pinduoduo has more than 750 million customers a month and sells a vast array of products and groceries. But cybersecurity researchers who analyzed the company’s Android app found that it is laced with invasive malware that exploits Android vulnerabilities to take control of users’ devices—gaining access to data from other apps, changing system settings, and monitoring people’s digital activity in a number of ways.
Current and former Pinduoduo employees told CNN that the company has a specific initiative to discover Android vulnerabilities and develop exploits. The goal is allegedly to increase sales by monitoring customers and competitors. CNN said there is no specific evidence that Pinduoduo gives the data it steals to Beijing, but under Chinese law that would be very possible. Google suspended the app from its Play Store in late March, but the app store is banned in China, so Android users typically download their apps from local app stores anyway. In the past, Pinduoduo has rejected “the speculation and accusation that [the] Pinduoduo app is malicious,” but it did not respond to multiple CNN requests for comment on the new findings. Tech giants around the world are often criticized for their massive, even excessive data collection practices. But researchers said that Pinduoduo’s app was particularly egregious.
Law enforcement from 17 counties collaborated on the takedown this week of the widely used digital criminal marketplace Genesis, known for hawking massive quantities of stolen login credentials and access tokens. Police seized the site’s infrastructure and also executed a massive campaign in multiple countries to conduct 208 property searches and arrest 119 of the site’s alleged users. The FBI and Dutch National Police led the effort with support from Europol and many others. “Working across 45 of our FBI Field Offices and alongside our international partners, the Justice Department has launched an unprecedented takedown of a major criminal marketplace that enabled cybercriminals to victimize individuals, businesses, and governments around the world,” US attorney general Merrick Garland said in a statement. “Our seizure of Genesis Market should serve as a warning to cybercriminals who operate or use these criminal marketplaces.”
Just in time for tax day, public procurement records reviewed by Motherboard show that the US Internal Revenue Service is interested in purchasing an internet surveillance tool from Team Cymru, a company that makes digital monitoring products. The FBI and US military are already customers. The tool gives users access to “netflow” data, which reveals broad internet activity, including interactions like server communication. Without such surveillance tools, only a server’s host or operator and internet service provider would have access to such data. The records also indicate that the IRS is looking to purchase access to a number of cybersecurity products for defense.
Tesla vehicles incorporate a number of cameras, but the video they capture is supposed to be locked down so you have privacy in your own car. However, Reuters found that Tesla employees shared embarrassing and “highly invasive” videos and images from customers’ cars on an internal company communication platform between 2019 and 2022. Some of the footage was simply of dogs or comical road signs, but it also captured an array of compromising situations, including nudity. Tesla didn’t respond to detailed questions from Reuters about the findings.
The Chinese spy balloon that caused an uproar as it floated over the US early this year made multiple passes over sensitive military sites and successfully collected some electronic signals, like those from communications and weapons systems, according to three current and former officials who spoke to NBC News. The US government had said at the time that it was taking steps to block the balloon from collecting anything useful. The three officials added, though, that the US’s countermeasures succeeded at substantially reducing the amount of information the balloon was able to collect.