CNN
 — 

High speed trains have proved their worth across the world over the past 50 years.

It’s not just in reducing journey times, but more importantly, it’s in driving economic growth, creating jobs and bringing communities closer together. China, Japan and Europe lead the way.

So why doesn’t the United States have a high-speed rail network like those?

For the richest and most economically successful nation on the planet, with an increasingly urbanized population of more than 300 million, it’s a position that is becoming more difficult to justify.

Although Japan started the trend with its Shinkansen “Bullet Trains” in 1964, it was the advent of France’s TGV in the early 1980s that really kick-started a global high-speed train revolution that continues to gather pace.

But it’s a revolution that has so far bypassed the United States. Americans are still almost entirely reliant on congested highways or the headache-inducing stress of an airport and airline network prone to meltdowns.

China has built around 26,000 miles (42,000 kilometers) of dedicated high-speed railways since 2008 and plans to top 43,000 miles (70,000 kilometers) by 2035.

Meanwhile, the United States has just 375 route-miles of track cleared for operation at more than 100 mph.

“Many Americans have no concept of high-speed rail and fail to see its value. They are hopelessly stuck with a highway and airline mindset,” says William C. Vantuono, editor-in-chief of Railway Age, North America’s oldest railroad industry publication.

Cars and airliners have dominated long-distance travel in the United States since the 1950s, rapidly usurping a network of luxurious passenger trains with evocative names such as “The Empire Builder,” “Super Chief” and “Silver Comet.”

Deserted by Hollywood movie stars and business travelers, famous railroads such as the New York Central were largely bankrupt by the early 1970s, handing over their loss-making trains to Amtrak, the national passenger train operator founded in 1971.

In the decades since that traumatic retrenchment, US freight railroads have largely flourished. Passenger rail seems to have been a very low priority for US lawmakers.

Powerful airline, oil and auto industry lobbies in Washington have spent millions maintaining that superiority, but their position is weakening in the face of environmental concerns and worsening congestion.

US President Joe Biden’s $1.2 trillion infrastructure bill includes an unprecedented $170 billion for improving railroads.

Some of this will be invested in repairing Amtrak’s crumbling Northeast Corridor (NEC) linking Boston, New York and Washington.

There are also big plans to bring passenger trains back to many more cities across the nation – providing fast, sustainable travel to cities and regions that have not seen a passenger train for decades.

Add to this the success of the privately funded Brightline operation in Florida, which has been given the green light to build a $10 billion high-speed rail link between Los Angeles and Las Vegas by 2027, plus schemes in California, Texas and the proposed Cascadia route linking Portland, Oregon, with Seattle and Vancouver, and the United States at last appears to be on the cusp of a passenger rail revolution.

“Every president since Ronald Reagan has talked about the pressing need to improve infrastructure across the USA, but they’ve always had other, bigger priorities to deal with,” says Scott Sherin, chief commercial officer of train builder Alstom’s US division.

“But now there’s a huge impetus to get things moving – it’s a time of optimism. If we build it, they will come. As an industry, we’re maturing, and we’re ready to take the next step. It’s time to focus on passenger rail.”

Sherin points out that other public services such as highways and airports are “massively subsidized,” so there shouldn’t be an issue with doing the same for rail.

“We need to do a better job of articulating the benefits of high-speed rail – high-quality jobs, economic stimulus, better connectivity than airlines – and that will help us to build bipartisan support,” he adds. “High-speed rail is not the solution for everything, but it has its place.”

Only Amtrak’s Northeast Corridor has trains that can travel at speeds approaching those of the 300 kilometers per hour (186 mph) TGV and Shinkansen.

Even here, Amtrak Acela trains currently max out at 150 mph – and only in short bursts. Maximum speeds elsewhere are closer to 100 mph on congested tracks shared with commuter and freight trains.

This year, Amtrak plans to introduce its new generation Avelia Liberty trains to replace the life-expired Acelas on the NEC.

Capable of reaching 220 mph (although they’ll be limited to 160 mph on the NEC), the trains will bring Alstom’s latest high-speed rail technology to North America.

The locomotives at each end – known as power cars – are close relatives of the next generation TGV-M trains, scheduled to debut in France in 2024.

Sitting between the power cars are the passenger vehicles, which use Alstom’s Tiltronix technology to run faster through curves by tilting their bodies, much like a MotoGP rider does. And it’s not just travelers who will benefit.

“When Amtrak awarded the contract to Alstom in 2015 to 2016, the company had around 200 employees in Hornell,” says Shawn D. Hogan, former mayor of the city of Hornell in New York state.

“That figure is now nearer 900, with hiring continuing at a fast pace. I calculate that there has been a total public/private investment of more than $269 million in our city since 2016, including a new hotel, a state-of-the-art hospital and housing developments.

“It is a transformative economic development project that is basically unheard of in rural America and if it can happen here, it can happen throughout the United States.”

Alstom has spent almost $600 million on building a US supply chain for its high-speed trains – more than 80% of the train is made in the United States, with 170 suppliers across 27 states.

“High-speed rail is already here. Avelia Liberty was designed jointly with our European colleagues, so we have what we need for ‘TGV-USA’,” adds Sherin.

“It’s all proven tech from existing trains. We’re ready to go when the infrastructure arrives.”

And those new lines could arrive sooner than you might think.

In March, Brightline confirmed plans to begin construction on a 218-mile (351-kilometer) high-speed line between Rancho Cucamonga, near Los Angeles, and Las Vegas, carving a path through the San Bernardino Mountains and across the desert, following the Interstate 15 corridor.

The 200 mph line will slash times to little more than one hour – a massive advantage over the four-hour average by car or five to seven hours by bus – when it opens in 2027.

Mike Reininger, CEO of Brightline Holdings, says: “As the most shovel-ready high-speed rail project in the United States, we are one step closer to leveling the playing field against transit and infrastructure projects around the world, and we are proud to be using America’s most skilled workers to get there.”

Brightline West expects to inject around $10 billion worth of benefits into the region’s economy, creating about 35,000 construction jobs, as well as 1,000 permanent jobs in maintenance, operations and customer service in Southern California and Nevada.

It will also mark the return of passenger trains to Las Vegas after a 30-year hiatus – Amtrak canceled its “Desert Wind” route in 1997.

Brightline hopes to attract around 12 million of the 50 million one-way trips taken annually between Las Vegas and LA, 85% of which are taken by bus or car.

Meanwhile, construction is progressing on another high-speed line through the San Joaquin Valley.

Set to open around 2030, California High Speed Rail (CHSR) will run from Merced to Bakersfield (171 miles) at speeds of up to 220 mph.

Coupled with proposed upgrades to commuter rail lines at either end, this project could eventually allow high-speed trains to run the 350 miles (560 kilometers) between Los Angeles to San Francisco metropolitan areas in just two hours and 40 minutes.

CHSR has been on the table as far back as 1996, but its implementation has been controversial.

Disagreements over the route, management issues, delays in land acquisition and construction, cost over-runs and inadequate funding for completing the entire system have plagued the project – despite the economic benefits it will deliver as well as reducing pollution and congestion. Around 10,000 people are already employed on the project.

Costing $63 billion to $98 billion, depending on the final extent of the scheme, CHSR is to connect six of the 10 largest cities in the state and provide the same capacity as 4,200 miles of new highway lanes, 91 additional airport gates and two new airport runways costing between $122 billion and $199 billion.

With California’s population expected to grow to more than 45 million by 2050, high-speed rail offers the best value solution to keep the state from grinding to a smoggy halt.

Brightline West and CHSR offer templates for the future expansion of high-speed rail in North America.

By focusing on pairs of cities or regions that are too close for air travel and too far apart for car drivers, transportation planners can predict which corridors offer the greatest potential.

“It’s logical that the US hasn’t yet developed a nationwide high-speed network,” says Sherin. “For decades, traveling by car wasn’t a hardship, but as highway congestion gets worse, we’ve reached a stage where we should start looking more seriously at the alternatives.

“The magic numbers are centers of population with around three million people that are 200 to 500 miles apart, giving a trip time of less than three hours – preferably two hours.

“Where those conditions apply in Europe and Asia, high-speed rail reduces air’s share of the market from 100% to near zero. The model would work just as well in the USA as it does globally.”

Sherin points to the success of the original generation of Acela trains as evidence of this.

“When the first generation Acela trains started running between New York City and Washington in 2000, Amtrak attracted so many travelers that the airlines stopped running their frequent ‘shuttles’ between the two cities,” he adds.

However, industry observer Vantuono is more pessimistic.

“A US high-speed rail network is a pipe dream,” he says. “A lack of political support and federal financial support combined with the kind of fierce landowner opposition that CHSR has faced in California means that the challenges for new high-speed projects are enormous.”

According to the International Energy Agency (IEA), urban and high-speed rail hold “major promise to unlock substantial benefits” in reducing global transport emissions.

Dr. Fatih Birol, the IEA’s executive director, argues that rail transport is “often neglected” in public debates about future transport systems – and this is especially true in North America.

“Despite the advent of cars and airplanes, rail of all types has continued to evolve and thrive,” adds Birol.

Globally, around three-quarters of rail passenger movements are made on electric-powered vehicles, putting the mode in a unique position to take advantage of the rise in renewable energy over the coming decades.

Here, too, the United States lags far behind the rest of the world, with electrification almost unheard of away from the NEC.

Rail networks in South Korea, Japan, Europe, China and Russia are more than 60% electrified, according to IEA figures, the highest share of track electrification being South Korea at around 85%.

In North America, on the other hand, less than 5% of rail routes are electrified.

The enormous size of the United States and its widely dispersed population mitigates against the creation of a single, unified network of the type being built in China and proposed for Europe.

Air travel is likely to remain the preferred option for transcontinental journeys that can be more than 3,000 miles (around 4,828 kilometers).

But there are many shorter inter-city travel corridors where high-speed rail, or a combination of new infrastructure and upgraded railroad tracks or tilting trains, could eventually provide an unbeatable alternative to air travel and highways.

Editor’s Note: A version of this story first appeared in CNN’s Meanwhile in the Middle East newsletter, a three-times-a-week look inside the region’s biggest stories. Sign up here.

Abu Dhabi, UAE
CNN
 — 

Turkey’s persecuted pro-Kurdish party has emerged as a kingmaker in the country’s upcoming election, playing a decisive role that may just tip the balance enough to unseat two-decade ruler Recep Tayyip Erdogan.

In a key setback to the Turkish president and leader of the Justice and Development Party (AK Party), the pro-Kurdish Peoples’ Democratic Party (HDP) last month announced that it would not put forward its own presidential candidate, a move analysts say allows its supporters to vote for Erdogan’s main rival.

“We are facing a turning point that will shape the future of Turkey and (its) society,” said the HDP in a statement on March 23. “To fulfill our historical responsibility against the one-man rule, we will not field a presidential candidate in (the) May 14 elections.”

It is a twist of irony for the Turkish strongman, who spent the better half of the past decade cracking down on the party after it began chipping away at his voter base. Its former leader Selahattin Demirtas has been in prison for nearly seven years and the party faces possible closure by a court for suspected collusion with the militant Kurdistan Workers’ Party (PKK) and affiliated groups. But its influence may nonetheless determine the course of Turkey’s politics.

The HDP’s decision not to field a candidate came just three days after head of the Republican People’s Party (CHP) Kemal Kilicdaroglu, Erdogan’s main rival, visited the party’s co-chairs. He told reporters that the solution to Turkey’s problems, “including the Kurdish problem” lies in parliament,” according to Turkish media.

Kilicdaroglu, who represents the six-party Nation Alliance opposition bloc, is the strongest contender to run against Erdogan in years. And while the HDP hasn’t yet announced whether it will put its weight behind him, analysts say it is the kingmaker in the elections.

“It was a carefully crafted political discourse,” Hisyar Ozsoy, deputy co-chair of the HDP and a member of parliament from the predominantly Kurdish province of Diyarbakir, told CNN. “We are not going to have our own candidate, and we will leave it to the international community to interpret it the way they wish.”

Experts say the crackdown on the HDP is rooted in the threat it poses to Erdogan politically, as well as its position as one of the main parties representing Turkey’s Kurds, an ethnic minority from which a separatist militant movement has emerged.

The party and the Kurdish people have had a complicated relationship with Erdogan. The leader courted the Kurds in earlier years by granting them more rights and reversing restrictions on the use of their language. Relations with the HDP were also cordial once, as Erdogan worked with the party on a brief peace process with the PKK.

But ties between Erdogan and the HDP later turned sour, and the HDP fell under a sweeping crackdown aimed at the PKK and their affiliates.

Kurds are the biggest minority in Turkey, making up between 15% and 20% of the population, according to Minority Rights Group International.

It is unclear if the HDP will endorse Kilicdaroglu, but analysts say that the deliberate distance may be beneficial for the opposition candidate.

The accusations against the HDP place it in a precarious position during the elections. It currently faces a case in Turkey’s Constitutional Court over suspected ties to the PKK, which is designated as a terrorist group by Turkey, the United States and the European Union. Knowing it may be banned at any moment, its candidates are running under the Green Left Party in parliament.

If the opposition is seen as allying with the HDP, Erdogan’s AK Party may use its influence in the media to discredit it as being pro-PKK, said Murat Somer, a political science professor at Koc University in Istanbul and author of Return to Point Zero, a book on the Turkish-Kurdish question in Turkey.

The HDP’s threat to Erdogan’s hold on power became apparent after the June 2015 election, the first general election it participated in. It won 13% of the seats, denying the ruling AK Party its majority for the first time since 2002. Erdogan, however, called a snap election five months later, which led to a drop in the HDP’s support to 10.7%, as well as the restoration of the AK Party’s overall majority.

“They are a kingmaker in these elections because the HDP gets about half of the votes of the Kurdish population in Turkey,” said Somer, adding that the other, more conservative Kurdish voters have traditionally voted for Erdogan’s AK Party. And last month, the Free Cause Party (HUDA-PAR), a tiny Kurdish-Islamist party announced support for Erdogan in the elections. The party has never won seats in parliament.

The HDP knows that its position is key to the outcome of next month’s vote, but that it’s also in a delicate situation.

“We want to play the game wisely, and we need to be very careful,” said Ozsoy, adding that the party wants to avoid a “contaminated political climate” where the elections are polarized “between a very ugly ultra-nationalist discourse against Kilicdaroglu and others.”

The party was founded in 2012 with a number of aims, said Ozsoy, one of which was “peaceful and democratic resolution of the Kurdish conflict.”

Somer said that the party was seen to be “an initiative” of the PKK, which later led to a heavy government crackdown on it in the name of counterterrorism.

Its former leader Demirtas remains an influential figure.

The Turkish government has been trying to link the HDP to the PKK but has so far failed to prove “a real connection,” said Asli Aydintasbas, a visiting fellow at the Brookings Institution in Washington, DC.

A post-Erdogan Turkey may give some breathing space to the Kurds and Kurdish-dominated parties in Turkey, Aydintasbas told CNN, noting that many Kurdish voters have recently left Erdogan’s camp. “For HDP, this is more than just an ideological choice,” she said. “It’s a matter of survival.”

Ozsoy says his party understands what’s at stake, not only for Turkey’s Kurds but for all its minorities.

“We are aware of our responsibility here. We are aware of our role. We know we are in a kingmaker position,” the HDP lawmaker said.

Two women arrested for not wearing hijab following ‘yogurt attack’

Two women were arrested in Iran for failing to wear the hijab in public, after a man threw a tub of yogurt at them at a store in the city of Shandiz on Thursday, according to Mizan News Agency, the state-run outlet for Iran’s judiciary.

Oil prices surge after OPEC+ producers announce surprise cuts

Oil prices spiked Monday after OPEC+ producers unexpectedly announced that they would cut output. Brent crude, the global benchmark, jumped 5.31% to $84.13 a barrel, while WTI, the US benchmark, rose 5.48% to $79.83. Both were the sharpest price rises in almost a year. The collective output cut by the nine members of OPEC+ totals 1.66 million barrels per day.

Iran blames Israel for the killing of second IRGC officer, vows to respond

A second Iranian Islamic Revolutionary Guard Corps (IRGC) officer died following an attack in Syria on Friday, according to Iranian state media on Sunday. Iranian state media said the Iranian military adviser died after an Israeli attack near the Syrian capital Damascus left him wounded. The attack also killed another IRGC officer. In a tweet on Sunday, Iranian government spokesman Ali Bahadori Jahromi said the alleged Israeli attack wouldn’t go unanswered. Iranian Foreign Ministry spokesman Nasser Kanaani said on Sunday that Iran has the right to respond to “state terrorism.”

Iranian-American comedian Maz Jobrani, who has been touring the Middle East, spoke to CNN’s Becky Anderson about his support for the protests in his homeland, saying that he used his standup comedy platform to highlight the “brutality against the Iranian people.”

“It was an opportunity for me to say, ‘let’s keep fighting,’” he said.

Watch the interview here.

An Iranian state news outlet is gloating at what it sees as the demise of the US dollar.

IRNA recreated a popular meme to mark China and Brazil’s decision to reportedly ditch the US dollar as an intermediary in trade, citing the Chinese state news outlet, China Daily. It shows two men representing China and Brazil posing in front of a grave labelled “USD.”

The meme was pinned to the top of IRNA’s Twitter page, and was met with laughter and ridicule. “Dream on,” said another user, pointing to the dollar’s use as the main reserve currency around the world.

China Daily said that the agreement was part of “the rising global use of the Chinese renminbi.” It would reportedly enable China and Brazil to conduct trade and financial transactions using local currencies instead of the dollar.

CNN
 — 

It is one of China’s most popular shopping apps, selling clothing, groceries and just about everything else under the sun to more than 750 million users a month.

But according to cybersecurity researchers, it can also bypass users’ cell phone security to monitor activities on other apps, check notifications, read private messages and change settings.

And once installed, it’s tough to remove.

While many apps collect vast troves of user data, sometimes without explicit consent, experts say e-commerce giant Pinduoduo has taken violations of privacy and data security to the next level.

In a detailed investigation, CNN spoke to half a dozen cybersecurity teams from Asia, Europe and the United States — as well as multiple former and current Pinduoduo employees — after receiving a tipoff.

Multiple experts identified the presence of malware on the Pinduoduo app that exploited vulnerabilities in Android operating systems. Company insiders said the exploits were utilized to spy on users and competitors, allegedly to boost sales.

“We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to,” said Mikko Hyppönen, chief research officer at WithSecure, a Finnish cybersecurity firm.

“This is highly unusual, and it is pretty damning for Pinduoduo.”

Malware, short for malicious software, refers to any software developed to steal data or interfere with computer systems and mobile devices.

Evidence of sophisticated malware in the Pinduoduo app comes amid intense scrutiny of Chinese-developed apps like TikTok over concerns about data security.

Some American lawmakers are pushing for a national ban on the popular short-video app, whose CEO Shou Chew was grilled by Congress for five hours last week about its relations with the Chinese government.

The revelations are also likely to draw more attention to Pinduoduo’s international sister app, Temu, which is topping US download charts and fast expanding in other Western markets. Both are owned by Nasdaq-listed PDD, a multinational company with roots in China.

While Temu has not been implicated, Pinduoduo’s alleged actions risk casting a shadow over its sister app’s global expansion.

There is no evidence that Pinduoduo has handed data to the Chinese government. But as Beijing enjoys significant leverage over businesses under its jurisdiction, there are concerns from US lawmakers that any company operating in China could be forced to cooperate with a broad range of security activities.

The findings follow Google’s suspension of Pinduoduo from its Play Store in March, citing malware identified in versions of the app.

An ensuing report from Bloomberg said a Russian cybersecurity firm had also identified potential malware in the app.

Pinduoduo has previously rejected “the speculation and accusation that Pinduoduo app is malicious.”

CNN has contacted PDD multiple times over email and phone for comment, but has not received a response.

Pinduoduo, which boasts a user base that accounts for three quarters of China’s online population and a market value three times that of eBay

(EBAY), wasn’t always an online shopping behemoth.

Founded in 2015 in Shanghai by Colin Huang, a former Google employee, the startup was fighting to establish itself in a market long dominated by e-commerce stalwarts Alibaba

(BABA) and JD.com

(JD).

It succeeded by offering steep discounts on friends-and-family group buying orders and focusing on lower-income rural areas.

Pinduoduo posted triple digit growth in monthly users until the end of 2018, the year it listed in New York. By the middle of 2020, though, the increase in monthly users had slowed to around 50% and would continue to decline, according to its earnings reports.

It was in 2020, according to a current Pinduoduo employee, that the company set up a team of about 100 engineers and product managers to dig for vulnerabilities in Android phones, develop ways to exploit them — and turn that into profit.

According to the source, who requested anonymity for fear of reprisals, the company only targeted users in rural areas and smaller towns initially, while avoiding users in megacities such as Beijing and Shanghai.

“The goal was to reduce the risk of being exposed,” they said.

By collecting expansive data on user activities, the company was able to create a comprehensive portrait of users’ habits, interests and preferences, according to the source.

This allowed it to improve its machine learning model to offer more personalized push notifications and ads, attracting users to open the app and place orders, they said.

The team was disbanded in early March, the source added, after questions about their activities came to light.

PDD didn’t reply to CNN’s repeated requests for comment on the team.

Approached by CNN, researchers from Tel Aviv-based cyber firm Check Point Research, Delaware-based app security startup Oversecured and Hyppönen’s WithSecure conducted independent analysis of the 6.49.0 version of the app, released on Chinese app stores in late February.

Google Play is not available in China, and Android users in the country download their apps from local stores. In March, when Google suspended Pinduoduo, it said it had found malware in off-Play versions of the app.

The researchers found code designed to achieve “privilege escalation”: a type of cyberattack that exploits a vulnerable operating system to gain a higher level of access to data than it’s supposed to have, according to experts.

“Our team has reverse engineered that code and we can confirm that it tries to escalate rights, tries to gain access to things normal apps wouldn’t be able to do on Android phones,” said Hyppönen.

The app was able to continue running in the background and prevent itself from being uninstalled, which allowed it to boost its monthly active user rates, Hyppönen said. It also had the ability to spy on competitors by tracking activity on other shopping apps and getting information from them, he added.

Check Point Research additionally identified ways in which the app was able to evade scrutiny.

The app deployed a method that allowed it to push updates without an app store review process meant to detect malicious applications, the researchers said.

They also identified in some plug-ins the intent to obscure potentially malicious components by hiding them under legitimate file names, such as Google’s.

“Such a technique is widely used by malware developers that inject malicious code into applications that have legitimate functionality,” they said.

Android targeted

In China, about three quarters of smartphone users are on the Android system. Apple

(AAPL)’s iPhone has 25% market share, according to Daniel Ives of Wedbush Securities.

Sergey Toshin, the founder of Oversecured, said Pinduoduo’s malware specifically targeted different Android-based operating systems, including those used by Samsung, Huawei, Xiaomi and Oppo.

CNN has reached out to these companies for comment.

Toshin described Pinduoduo as “the most dangerous malware” ever found among mainstream apps.

“I’ve never seen anything like this before. It’s like, super expansive,” he said.

Most phone manufacturers globally customize the core Android software, the Android Open Source Project (AOSP), to add unique features and applications to their own devices.

Toshin found Pinduoduo to have exploited about 50 Android system vulnerabilities. Most of the exploits were tailor made for customized parts known as the original equipment manufacturer (OEM) code, which tends to be audited less often than AOSP and is therefore more prone to vulnerabilities, he said.

Pinduoduo also exploited a number of AOSP vulnerabilities, including one which was flagged by Toshin to Google in February 2022. Google fixed the bug this March, he said.

According to Toshin, the exploits allowed Pinduoduo access to users’ locations, contacts, calendars, notifications and photo albums without their consent. They were also able to change system settings and access users’ social network accounts and chats, he said.

Of the six teams CNN spoke to for this story, three did not conduct full examinations. But their primary reviews showed that Pinduoduo asked for a large number of permissions beyond the normal functions of a shopping app.

They included “potentially invasive permissions” such as “set wallpaper” and “download without notification,” said René Mayrhofer, head of the Institute of Networks and Security at the Johannes Kepler University Linz in Austria.

Disbanding the team

Suspicions about malware in Pinduoduo’s app were first raised in late February in a report by a Chinese cybersecurity firm called Dark Navy. Even though the analysis didn’t directly name the shopping giant, the report spread quickly among other researchers, who did name the company. Some of the analysts followed up with their own reports confirming the original findings.

Soon after, on March 5, Pinduoduo issued a new update of its app, version 6.50.0, which removed the exploits, according to two experts who CNN spoke to.

Two days after the update, Pinduoduo disbanded the team of engineers and product managers who had developed the exploits, according to the Pinduoduo source.

The next day, team members found themselves locked out of Pinduoduo’s bespoke workplace communication app, Knock, and lost access to files on the company’s internal network. Engineers also found their access to big data, data sheets and the log system revoked, the source said.

Most of the team were transferred to work at Temu. They were assigned to different departments at the subsidiary, with some working on marketing or developing push notifications, according to the source.

A core group of about 20 cybersecurity engineers who specialize in finding and exploiting vulnerabilities remain at Pinduoduo, they said.

Toshin of Oversecured, who looked into the update, said although the exploits were removed, the underlying code was still there and could be reactivated to carry out attacks.

Pinduoduo has been able to grow its user base against a backdrop of the Chinese government’s regulatory clampdown on Big Tech that began in late 2020.

That year, the Ministry of Industry and Information Technology launched a sweeping crackdown on apps that illegally collect and use personal data.

In 2021, Beijing passed its first comprehensive data privacy legislation.

The Personal Information Protection Law stipulates that no party should illegally collect, process or transmit personal information. They’re also banned from exploiting internet-related security vulnerabilities or engaging in actions that endanger cybersecurity.

Pinduoduo’s apparent malware would be a violation of those laws, tech policy experts say, and should have been detected by the regulator.

“This would be embarrassing for the Ministry of Industry and Information Technology, because this is their job,” said Kendra Schaefer, a tech policy expert at Trivium China, a consultancy. “They’re supposed to check Pinduoduo, and the fact that they didn’t find (anything) is embarrassing for the regulator.”

The ministry has regularly published lists to name and shame apps found to have undermined user privacy or other rights. It also publishes a separate list of apps that are removed from app stores for failing to comply with regulations.

Pinduoduo did not appear on any of the lists.

CNN has reached out to the Ministry of Industry and Information Technology and the Cyberspace Administration of China for comment.

On Chinese social media, some cybersecurity experts questioned why regulators haven’t taken any action.

“Probably none of our regulators can understand coding and programming, nor do they understand technology. You can’t even understand the malicious code when it’s shoved right in front of your face,” a cybersecurity expert with 1.8 million followers wrote last week in a viral post on Weibo, a Twitter-like platform.

The post was censored the next day.