Android app from China executed 0-day exploit on millions of devices - Ars Technica

Fast-growing e-commerce app Pinduoduo had an EvilParcel stow-away.

Android apps digitally signed by China’s third-biggest e-commerce company exploited a zero-day vulnerability that allowed them to surreptitiously take control of millions of end-user devices to steal personal data and install malicious apps, researchers from security firm Lookout have confirmed.