Your data for a discount? The truth about app permissions

SHAH ALAM – As more Malaysians hunt for cheaper deals online, shopping apps offering deep discounts, rewards and group-buying promotions are becoming increasingly popular.

However, cybersecurity experts said consumers should pay as much attention to what an app can access on their phones as they do to the price tags attached to products.

Growing discussions on social media have highlighted concerns about how secure some shopping applications are, particularly following reports involving vulnerabilities discovered in certain versions of the apps.

In a viral TikTok video, content creator @abangblur compiled publicly available reports from international cybersecurity researchers, alleging that certain versions of e-commerce platform Pinduoduo may be capable of exploiting Android vulnerabilities, gaining elevated system access and monitoring user activity beyond what is typically expected from a shopping application.

He said the content was intended for public awareness based on open-source research.

He claimed that some versions of the app could exploit security weaknesses in devices and download additional components after installation.

“The app can look for vulnerabilities in your phone and gain access. It can also download additional modules from its own server,” he said in the video.

He warned that the application may be able to track user behaviour across other apps and access notifications and files stored on devices.

He added that the system can monitor which apps are being used and track a user's behaviour on their phone, describing it as going beyond normal tracking.

He also advised users who still choose to install such applications to take precautions, including using a separate device and avoiding linking primary banking details.

“Use a separate phone, separate accounts and don’t link your main bank cards. Use temporary cards with limited funds,” he said.

The claims have reignited debate about how much personal data consumers may unknowingly expose when downloading apps in exchange for discounts, vouchers or rewards.

Founded in 2015 by entrepreneur Colin Huang, Pinduoduo grew rapidly in China through its group-buying model, allowing users to unlock lower prices by sharing product links with friends and family.

The platform later became one of China's largest e-commerce companies and launched international expansion efforts through its sister platform, Temu.

However, the company attracted scrutiny in 2023 when Google suspended downloads of Pinduoduo from the Google Play Store after security researchers discovered malicious code in some versions of the application distributed through third-party Chinese app stores.

According to reports by Bloomberg and CNN at the time, researchers found that certain versions of the app were capable of exploiting known Android vulnerabilities to gain elevated permissions, download additional modules and access notifications and files stored on devices.

Google subsequently warned users to uninstall identified malicious versions and activated Play Protect measures to block installation attempts.

Pinduoduo denied that the Play Store version contained malware and maintained that the problematic software originated from versions distributed outside Google's official ecosystem.

While the controversy generated significant attention, cybersecurity observers note that the incident does not necessarily mean every version of the app is unsafe.

Instead, they said the case highlights a broader issue affecting millions of consumers worldwide: understanding what permissions an application requests and what information users are willing to share in exchange for convenience.

Universiti Sains Malaysia Cybersecurity Research Centre director Professor Dr Selvakumar Manickam said consumers often underestimate the amount of information they share when using shopping applications.

“Many people think trading personal data for discounts is a new issue, but it has existed for decades. What has changed is the scale and ease of data collection,” he told Sinar Daily.

Selvakumar said modern apps can collect far more than basic information such as names, email addresses and payment details, including location data, shopping habits, browsing behaviour and app usage patterns.

He advised consumers to pay close attention to app permissions, particularly when applications request access that appears unrelated to their core functions.

“A simple shopping or coupon app generally does not need constant access to a user's contacts, microphone, Short Message Service (SMS) messages or call logs,” he added.

Meanwhile, Universiti Malaya Faculty of Computer Science and Information Technology professor Dr Ainuddin Wahid Abdul Wahab said many consumers unknowingly exchange valuable personal information for relatively small savings.

“We walk into a night market and the vendor says, ‘I’ll give you 20 per cent off, but first tell me your name, home address and who you called today.’ Most people would walk away.

“Yet this is essentially what many shopping and rewards apps ask for,” he said when contacted.

Ainuddin warned that consumers should not automatically assume an application is completely safe simply because it is available through official app stores.

“App store approval should be viewed as a first layer of screening, not a guarantee of safety,” he said.

He added that users should review app permissions carefully, enable two-factor authentication where available and avoid granting access to data that is unnecessary for the service being offered.

The discussion is becoming increasingly relevant as consumers embrace digital shopping platforms offering aggressive discounts and promotional campaigns.

While bargain hunting remains a normal part of online shopping, cybersecurity specialists recommend downloading applications only from official stores, regularly updating device software and using secure payment methods to reduce potential risks.