pinduoduo_backdoor_detailed_report icon indicating copy to clipboard operation
pinduoduo_backdoor_detailed_report copied to clipboard

Published 20 hours ago verified publisher icon davincifans101

Outsider Q&A

Open 413x45h4w opened this issue 1 year ago • 5 comments

Hello,

Congratulations to the author(s) on a very impressive piece of work.

Questions:

  1. How do you get from this to "40% of GMV," "40% of users" faked?
  2. For Pinduoduo to engage in this amount of spyware/malware activity across so many phones, surely it would have consumed a lot of data or raised other system flags, across multiple different Android versions. How could it go unnoticed for so long?
  3. Don't many other Chinese Android apps engage in (less egregious) versions of this behavior?

413x45h4w avatar Apr 03 '23 16:04 413x45h4w

Hi:

We also managed to do some analysis based on these authors' reports, and we can share some insights here, for the above questions

  1. We don’t know how this specific number was obtained, but it seems that we can get some evidence from the observation of Pinduoduo’s recent DAU drop, as they can no longer use backdoors for user growth now.
  2. We believe they are noticed by some people on social media, as they found their phones were malfunctioning. However nobody ever did a deep technical analysis before and chain all these together, as Pinduoduo uses a quite sophisticated code protection and remote control mechanism.
  3. For other apps with huge number of users, the answer is No. The CAC often carries out so-called App Privacy Compliance Rectification and other companies who develop apps with large number of users have no choice but to comply. Except Pinduoduo.

davinci2023fans avatar Apr 06 '23 11:04 davinci2023fans

Do you think Pinduoduo's competitors and ecosystem partners (like Huawei, Oppo etc, who operate their own appstores) were totally oblivious to this, or do you think they basically accepted money in order to provide Pinduoduo preferential treatment?

413x45h4w avatar Apr 06 '23 11:04 413x45h4w

Do you think Pinduoduo's competitors and ecosystem partners (like Huawei, Oppo etc, who operate their own appstores) were totally oblivious to this, or do you think they basically accepted money in order to provide Pinduoduo preferential treatment?

I think the domestic ecosystem partners are totally aware, they just don't have the guts of Google to protect user privacy. All they want is how to make more money from Pinduoduo, however Pinduoduo also steals money from them. What a comedy :)

davinci2023fans avatar Apr 06 '23 12:04 davinci2023fans

I guess it's hard for investors / outsiders to have a sense of what level of shady tactics is normal and accepted in the PRC, versus what is clearly over the line and very likely to get punished by the PRC. But if this behavior is widely tolerated by PDD ecosystem partners and known to PDD competitors it's difficult to argue that it's truly illegal, 是不是?

413x45h4w avatar Apr 16 '23 18:04 413x45h4w

I wonder if there are any senior ppl at any of these app store / mobile SDK companies who have starred this Github, who have an opinion.

It seems like their opinions are very important. If they find this behavior shocking and unacceptable, Pinduoduo will not be able to continue this corporate espionage behavior.

But as a foreigner I knew Qihoo 360 was able to do the exact same kind of behavior and get away with it for many years. Many Americans thought it was a fraud, when really they just didn't realize how things can work in the PRC sometimes.

413x45h4w avatar Apr 16 '23 18:04 413x45h4w