Google Suspends Chinese E-Commerce App Pinduoduo Over Malware

Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the app. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.

In November 2022, researchers at Google’s Project Zero warned about active attacks on Samsung mobile phones which chained together three security vulnerabilities that Samsung patched in March 2021, and which would have allowed an app to add or read any files on the device.

Google said it believes the exploit chain for Samsung devices belonged to a “commercial surveillance vendor,” without elaborating further. The highly technical writeup also did not name the malicious app in question.

On Feb. 28, 2023, researchers at the Chinese security firm DarkNavy published a blog post purporting to show evidence that a major Chinese ecommerce company’s app was using this same three-exploit chain to read user data stored by other apps on the affected device, and to make its app nearly impossible to remove.

The three Samsung exploits that DarkNavy says were used by the malicious app. In November 2022, Google documented these three same vulnerabilities being used together to compromise Samsung devices.

DarkNavy likewise did not name the app they said was responsible for the attacks. In fact, the researchers took care to redact the name of the app from multiple code screenshots published in their writeup. DarkNavy did not respond to requests for clarification.

“At present, a large number of end users have complained on multiple social platforms,” reads a translated version of the DarkNavy blog post. “The app has problems such as inexplicable installation, privacy leakage, and inability to uninstall.”

On March 3, 2023, a denizen of the now-defunct cybercrime community BreachForums posted a thread which noted that a unique component of the malicious app code highlighted by DarkNavy also was found in the ecommerce application whose name was apparently redacted from the DarkNavy analysis: Pinduoduo.

A Mar. 3, 2023 post on BreachForums, comparing the redacted code from the DarkNavy analysis with the same function in the Pinduoduo app available for download at the time.

On March 4, 2023, e-commerce expert Liu Huafang posted on the Chinese social media network Weibo that Pinduoduo’s app was using security vulnerabilities to gain market share by stealing user data from its competitors. That Weibo post has since been deleted.

On March 7, the newly created Github account Davinci1010 published a technical analysis claiming that until recently Pinduoduo’s source code included a “backdoor,” a hacking term used to describe code that allows an adversary to remotely and secretly connect to a compromised system at will.

That analysis includes links to archived versions of Pinduoduo’s app released before March 5 (version 6.50 and lower), which is when Davinci1010 says a new version of the app removed the malicious code.

Pinduduo has not yet responded to requests for comment. Pinduoduo parent company PDD Holdings told Reuters Google has not shared details about why it suspended the app.

The company told CNN that it strongly rejects “the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google,” and said there were “several apps that have been suspended from Google Play at the same time.”

Pinduoduo is among China’s most popular e-commerce platforms, boasting approximately 900 million monthly active users.

Most of the news coverage of Google’s move against Pinduoduo emphasizes that the malware was found in versions of the Pinduoduo app available outside of Google’s app store — Google Play.

“Off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” a Google spokesperson said in a statement to Reuters, adding that the Play version of the app has been suspended for security concerns.

However, Google Play is not available to consumers in China. As a result, the app will still be available via other mobile app stores catering to the Chinese market — including those operated by Huawei, Oppo, Tencent and VIVO.

Google said its ban did not affect the PDD Holdings app Temu, which is an online shopping platform in the United States. According to The Washington Post, four of the Apple App Store’s 10 most-downloaded free apps are owned by Chinese companies, including Temu and the social media network TikTok.

The Pinduoduo suspension comes as lawmakers in Congress this week are gearing up to grill the CEO of TikTok over national security concerns. TikTok, which is owned by Beijing-based ByteDance, said last month that it now has roughly 150 million monthly active users in the United States.

A new cybersecurity strategy released earlier this month by the Biden administration singled out China as the greatest cyber threat to the U.S. and Western interests. The strategy says China now presents the “broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”

Over confidence is putting children at risk online says Kaspersky research

Research into the online safety of children has found that 65% of young people are unable to identify a phishing attack and cannot tell the difference between a scam and a legitimate email.  Additionally, 48% of children (11-15) who say they are knowledgeable about online security have been a victim of a phishing scam themselves, highlighting a growing concern that Generation Zs over confidence towards online safety is putting them at risk.

Overconfident and oversharing

Although many under-18s believe themselves to be “cyber aware”, Kaspersky research reveals today that over half (59%) still admit to including personal information such as their name and date of birth on social media channels. 57% stated that they would also be prepared to disclose their pet’s names and favourite TV show on online quizzes.

This naivety contrasts with their assumed level of cyber knowledge, with online games and quizzes often used as vehicles for threat actors to gather as much information as possible on individuals.

Education for the Generations

Research also reveals that only 29% of adults are currently helping their children or younger generation to identify phishing scams. In fact, 30% of adults, by their own admission, aren’t knowledgeable at all when it comes to online security, with 17% admitting that they have been or are unsure if they been a victim of phishing scams. This suggests that there needs to be more online education and information for all ages to help every generation stay safe online.

“Knowledge is power. But knowledge alone isn’t enough when it comes to online security,” said David Emm, Principal Security Researcher Global Research and Analysis Team, Kaspersky. “Our findings show that a little bit of knowledge can be a very dangerous thing for children. The over confidence we highlight in the report, is putting them at serious risk from online threats.”

Emm continues, “For this reason, online safety education needs to be broadened from the dangers of content, to also cover the kind of attacks we are exposed to every day online. And cyber security education can’t just be for children, but it also needs to be extended to the older generations. As things stand, we have adults either not talking to children about online security, or if they do, unable to help them, because they don’t understand the threats themselves. Right now, it’s a case of the blind is leading the blind. The situation is untenable, and we urgently need more awareness and more education.”

Kaspersky ‘Overconfident and over exposed: Are Children Safe Online? followed 5,369 children and 5,665 adults across 7 countries in Europe. The research asked respondents about their understanding around online security, whether they knew what a phishing scam was, how much information they share online and who they relied on to help them identify potential threats. To download a copy of the report, please visit:

The post Over confidence is putting children at risk online says Kaspersky research appeared first on IT Security Guru.

7 Reasons Why Developers Prefer NeoVim Over Vim

7 Reasons Why Developers Prefer NeoVim Over Vim

The Vim editor is a successor to the vi editor found on the original UNIX. As a fork of Vim, Neovim is an editor that aims to improve the quality of life for all developers, better than Vim.

Vim is an excellent choice for experienced sysadmins. However, NeoVim has gathered a significant following among developers.

Wondering why more developers are choosing NeoVim over Vim? As an ardent NeoVim user, I can think of the following reasons.

1: Project maintenance and feature improvements

You might be wondering “With Vim so popular, especially because of the ‘I can’t quit Vim’ memes, Vim would be the go-to choice for users. Why would someone fork Vim and risk wasting development time just so a dozen people use it?”

And that is a valid question. Vim is really popular! But that doesn’t mean that the community developing Vim is pleased with the state of the project itself.

There are two existing problems with Vim’s current codebase:

  • The lead developer of Vim has not been fostering the development of Vim as a community-friendly project. This argument is backed by features initially added to Neovim like async support, a built-in terminal emulator, and pop-up windows (for showing debug messages and auto-completion suggestions) which were later adopted into Vim due to community “pressure”.
  • The Vim codebase is less maintainable compared to Neovim.

2: Code auto-completion (LSP)

LSP or Language Server Protocol is a protocol that defines how an editor communicates with a “language server” to enable options like code highlighting, syntax checking, code completion, inlay hints, type hints, and much more.

No matter how good of a developer you are, getting type hints, error highlighting and more in the editor itself may not make you a better developer. Still, it will undoubtedly reduce your development and/or debugging time.

Neovim ships with out-of-box support for LSP and uses Lua for further configuration. Vim, however, needs an external plugin to achieve this functionality.

3: Support for better plugins

A plugin is something that plugs into an existing thing and adds a new feature to it. In this case, an editor plugin is something that plugs into the editor and provides more functionality.

Vim already has rich plugin support and also an ecosystem, so much so that there are plugin managers just for Vim!

How to Install and Use Vim Plugins
Vim’s functionality can be extended with plugins. Here is how you can install and use plugins in Vim. Also learn about updating and removing the plugins.
7 Reasons Why Developers Prefer NeoVim Over Vim

But Neovim one-ups Vim by allowing plugins to use a “more versatile language” to write plugins in Lua. Not that Vim’s built-in language was bad, but if you want IDE-like functionality, the setup will get complicated. And, with an actual programming language, this configuration is comparatively easier than Vim.

This means that you can extend or modify even core Neovim functionality.

Here is a list of plugins that are exclusively for Neovim because Vim does not offer a similar level of extensibility.

4: Parallel start up

I discussed above that Neovim uses Lua as an optional but additional language for plugin configuration. But did you know that Neovim starts each plugin in parallel?

This ought to make you feel even faster with Neovim, especially if you have plugins that take a few seconds to initialize!

5: Ability to embed the editor

Due to the codebase of the Neovim editor being comparatively easier to maintain than Vim, the possibility to embed the core editor into something else becomes a real possibility.

You can finally have a good editor in VS Code now 😎

6: Location of config file(s)

Having used Vim, when I needed to distro hop migrate to a new different Linux distribution, I would usually forget to take the backup of the ~/.vimrc file because it was not in my ~/.config directory.

Most of the modern Linux applications adhere to a standard called XDG (Cross Desktop Group). This standard defines various things but one of the most important things, in this case, is the location from where the application loads its config file(s).

This standard dictates that user-specific config files should be stored inside the ~/.config directory. Neovim adheres to this and the primary config file (init.nvim) is stored inside the ~/.config/nvim/ directory.

This is a minor nitpick but it weighs in highly when taking a backup of the important files on your computer.

7: Optimizations made in Neovim

Before I talk about optimizations, please note that both editors are fast enough that neither may feel faster than the other in day-to-day tasks. But I feel obliged to share this.

Neovim has several optimizations to how it reacts to user commands. For an example, take the following command:


If you execute the above command in Vim, it will find all the lines with your specified regex pattern and delete those lines. That is not all that Vim will do. The d key also copies the deleted text to the register (clipboard).

This means, Vim will do the following:

  1. Find the line with the pattern
  2. Copy it to the register
  3. Delete the line
  4. Go to step 1 if there are other lines with matching pattern

If you do not want Step 2, you can use the following command in Vim:

:g/<pattern>/d _

The above command will do everything but copy the line to the register, speeding up the operation. Suppose you run the previous command (without the underscore) in Neovim. In that case, it will notice that you are trying to delete multiple lines and will use automatically “optimize” it by including the underscore.

Bonus: Better out-of-the-box configuration

This is somewhat of a personal opinion but if you are new to either Vim or Neovim, I would advise you to start your journey with Neovim. Both editors can be configured, but Neovim has better defaults.

For example, Neovim has the following knobs twisted by default:

  • autoindent is enabled by default
  • background defaults to “dark” unless explicitly set by the terminal
  • hlsearch (highlight all matches) is enabled by default

Though with newer releases of Vim, this may be subject to change as both editors are constantly evolving.

11 Pro Vim Tips to Get Better Editing Experience
You can learn plenty of Vim tips on your own, or you can learn it from others’ experiences.
7 Reasons Why Developers Prefer NeoVim Over Vim


Vim was created to improve the existing Vi editor. It stands for V Improved. Similarly, NeoVim was created to improve the existing Vim editor. It stands for New Vim.

I have been a Vim user for two years since I gave it a try and have happily migrated all of my Vim configurations to Neovim. This article outlines why someone might choose Neovim over traditional Vim.

Are you still using Vim? Do comment and let me know why! 🙂

Over reliance on shift-left can lead us in the wrong direction

The modern tech landscape is all about speed. In the great race to innovate, developers have been pushed to create and update applications at a hitherto unimaginable rate. As the bar is raised ever higher, and businesses scramble to keep up or get ahead, developers must build code faster than ever to speed development cycles.

 The “shift-left” security movement grew out of this phenomenon. In order to save on human resources, cut costs and slash development time, organisations adopted processes to incorporate security requirements earlier into the development cycle. 

As such, shift-left has taken the security world by storm – and it’s understandable. Closing security gaps in the early stages of development does save precious time, resources, and money.

But there’s a catch. 

Shift-left provides the most value for new and emerging technologies. Before new tech is implemented, developers and their employers can easily establish security guidelines and parameters for the technology development process. Because new technologies have yet to be incorporated into the running infrastructure, they don’t need to retrofit any security capabilities.

However, the crux of the issue is that shift-left only identifies security gaps in the development stage. Shift-left capabilities cannot protect what’s already running in your environment. Anything already running within an environment is left unprotected. Jettisoning runtime monitoring and protection capabilities for shift-left tactics will leave existing running assets exposed.

This especially applies to application programming interfaces (APIs). APIs allow for the instant exchange of data across multiple platforms, and their usage has rocketed with the dramatic increase of digital services and online applications. In today’s API-driven economy, companies typically have hundreds or even thousands of APIs running, many of which they are completely unaware of. Shift-left, by its nature, isn’t going to help organisations discover these APIs. 

Moreover, because APIs aren’t straight code, it’s impossible to identify all flaws in the development and testing phases. Business logic flaws in APIs can only be identified when APIs are ‘exercised’. This requires security capabilities external to the code base. It’s still worthwhile for organisations to use security testing tools to verify specific facets of API implementation, prominent misconfigurations or vulnerabilities for example – however, it’s crucial to recognise their limitations when it comes to assaults on business logic. 

Another issue with shift-left is that it doesn’t reduce risk quickly enough. A recent study found that 62% of organisations remain unaware of vulnerabilities that could lead to a data breach. Worse still, the same study revealed that 60% of breach victims were breached to an unpatched but known vulnerability. In the case of high-severity vulnerabilities, the report found that an average of 246 days would pass before they were fixed. 

Cutting down these excessive patch times requires starting with the right and then shifting left. 

So, just what does starting with the right mean?

Starting with the right means starting with runtime protection. Runtime protection is essentially a tourniquet for cyber-wounds, protecting an organisation’s data and systems while security teams identify and patch whatever vulnerability may have been exploited. This means that all of your workloads have an immediate defence, cutting down security risks without any tinkering with code. 

The best runtime protection services carry out behavioural analysis, allowing for ultra-fast attack detection and response. This essentially works by showing security teams what “normal” behaviour looks like in their environment, making spotting anomalies a whole lot easier. 

It’s also worth noting that runtime protection complements shift-left tactics. Runtime insights dig out vulnerabilities that can be remediated in development, so that security teams can share data with development teams to inform future cycles. 

To add some context, the infamous Log4j (Log4Shell) vulnerability would not have been discovered using shift-left tactics. One can only imagine the chaos that would have ensued were this the case. Worse still, the top six API threats on the OWASP top ten API threats list stem from business logic gaps, for which shift-left is useless. 

Not all attacks can be uncovered by testing tools; they simply weren’t designed this way. Runtime protection allows organisations to spot security threats and respond to them faster. 

Educating developers on the importance of secure coding and implementing responsible shift-left measures provides value and helps businesses think strategically about bolstering their security posture. 

However, shift-left isn’t a one-stop fix – relying on it alone leaves organisations at enormous risk. 

By Nick Rago, Field CTO at Salt Security

The post Over reliance on shift-left can lead us in the wrong direction appeared first on IT Security Guru.

Over 8000 VNC instances left exposed, researchers find

Researchers have discovered 8000 exposed Virtual Network Computing instances, which could put numerous global organisations at risk of remote compromise. As a matter of fact, the instances were managed by critical infrastructure (CNI) organisations, who are responsible for water treatment plants, manufacturing plants and research facilities.

With disabled authentication, malicious actors have the ability to hijack certain endpoints and with it, the industrial control systems these may be connected to. This is because VNC is a cross-platform screen-sharing system, which allows users to remotely control another computer.

Etay Maor, Senior Director of Security Strategy at Cato Networks, comments; “VNCs are fundamentally appliances and each appliance needs to be carefully maintained, upgraded, and patched. It’s the same problem IT has long faced. Moving to a cloud-native SASE service allows critical infrastructure organisations to protect the infrastructure without compromising service delivery. They can apply virtual patches protecting internal infrastructure without having to actually update that infrastructure.”

The researchers warned that exposed VNC deployments could be exploited by malicious actors to sabotage, as well as to steal data, extort their victims and deploy ransomware. As such, all firms running VNC should work to immediately improve their security awareness training, review their access policies and ensure that appropriate firewalls are in place. Most importantly, all devices must be patched and continuously monitored in order to avoid falling victim to this particular attack.

The post Over 8000 VNC instances left exposed, researchers find appeared first on IT Security Guru.

T-Mobile-US Agree To Pay $350m Settlement Over 2021 Cyberattack

T-Mobile-US has agreed to pay $350m to settle class action claims related to a 2021 cyber-attack which impacted approximately 80 million US residents.

On Friday, in a filing with the Securities and Exchange Commission (SEC), it was explained that the money would be used to “fund claims submitted by class members, legal fees of plaintiffs’ counsel and the costs of administering the settlement.”

The mobile network said that it would also put an additional $150million into data security and “related” technology over the next two years. The carrier is one of the largest in the US after its acquisition of Sprint in 2020.

The settlement, which is subject to final court approval, contains no admission of “liability, wrongdoing or responsibility.”

This case related to a major data breach first disclosed last August, affecting over 80 million former, current and prospective customers. This estimation has gone up from the 55 million estimated at the end of August 2021.

Oliver Tavakoli, CTO at Vectra, said “T-Mobile has repeatedly been lax in applying minimally acceptable controls to prevent these violations of end user’s privacy.”

“Note that some of the data leaked was private information collected from individuals whose applications for phones T-Mobile rejected several years prior to the breaches – information which they had no rationale to even keep.”

T-Mobile has suffered repeated breaches and cybersecurity incidents in the last few years.

The post T-Mobile-US Agree To Pay $350m Settlement Over 2021 Cyberattack appeared first on IT Security Guru.

Hacker Selling Data of Over 69 Million Neopets Members

Virtual pet website Neopets has suffered from a data breach leading to the theft of a database and source codes containing the sensitive information of over 69 million members.

The Neopets website allows members to own, raise, and play games with their virtual pets. The popular website recently launched NFTs that will be used as part of an online Metaverse game.

Earlier this week, a hacker using the name ‘TarTarX’ began selling the source code and database for the website for four bitcoins, with an approximate worth of $94,000 in today’s money.

TarTarX told BleepingComputer that they stole the database and approximately 460MB (compressed) of source code for the website.

The hacker claims that this database contains the account information of over 69 million members, including email addresses, zip codes, and names, among other data.

The hacker also told BleepingComputer that they did not ransom the data to the owners of Neopets, Jumpstart, but have received interest from potential external buyers.

The authenticity of the database has not been independently verified yet. Pompompurin, the owner of the hacking forum, verified the hacker’s claims by registering an account on the website and was then sent their newly created record from the database.

Pompompurin posted on the forum: “Vouch, I registered an account on the website and he sent the full entry.”

This shows that TarTarX continued to have access to the site even as the data had begun being sold off.

The Neopets team confirmed on the unofficial Neopets Discord server that they are aware of the security incident and were working on resolving it.

“We should note that the effectiveness of changing your Neopets password is currently debatable as long as hackers have live access to the database, as they can simply check what your new password is.”

“We cannot therefore strictly advise you on the best course of action given the circumstances.”

However, if you use the same Neopets password on other sites, you are advised to change your password on other sites to new ones.

The post Hacker Selling Data of Over 69 Million Neopets Members appeared first on IT Security Guru.