Editor’s Note — Sign up for Unlocking the World, CNN Travel’s weekly newsletter. Get news about destinations opening and closing, inspiration for future adventures, plus the latest in aviation, food and drink,
Johannesburg
CNN
—
The most wanted fugitive in the Rwandan genocide of 1994 has been arrested in Paarl, South Africa after decades on the run.
Fulgence Kayishema is accused of orchestrating the killing of more than 2,000 Tutsi refugees – women, men, children and the elderly – at Nyange Catholic Church during the genocide. He has been on the run since 2001.
He was captured Wednesday in a joint operation between the South African authorities and UN investigators.
When he was arrested, Kayishema initially denied his identity, according to a statement from the UN team. But by the end of the evening he told them: “I have been waiting a long time to be arrested.”
Investigators said he used multiple identities and forged documents to evade detection.
“The arrest was the culmination of an intense, thorough and rigorous investigation,” a senior official at the prosecutor’s office involved in the case told CNN.
“Family members and known associates were exhaustively investigated. That ultimately led to identifying the right location to search and finding the critical intelligence that was needed.”
“Fulgence Kayishema was a fugitive for more than 20 years. His arrest ensures that he will finally face justice for his alleged crimes,” said Chief Prosecutor Serge Brammertz of the United Nations’ International Residual Mechanism for Criminal Tribunals (IRMCT).
“Genocide is the most serious crime known to humankind. The international community has committed to ensure that its perpetrators will be prosecuted and punished. This arrest is a tangible demonstration that this commitment does not fade and that justice will be done, no matter how long it takes,” Brammertz said.
At the end of the genocide in July 1994, Kayishema fled to the Democratic Republic of Congo with his wife, children and brother-in-law. After relocating to other African countries, he moved to South Africa in 1999 and claimed asylum in Cape Town, using a false name.
According to prosecutors, since his arrival in South Africa he was able to rely on a tight support network including former Rwandan military members which went to extreme lengths to conceal his activities and whereabouts.
In recent years, the IRMCT prosecutor has complained about the lack of cooperation from South African authorities and there have been a series of near misses capturing Kayishema. A report describes a failure to arrest Kayishema three years ago.
But on Thursday, Brammertz lauded the cooperation and support of the South African government.
The events in Nyanga, Rwanda, were one of the most brutal of the genocide, in which an estimated 800,000 Tutsis and moderate Hutus were killed over the period of 90 days.
The tribunal alleges that Kayishema directly participated in the “planning and execution of this massacre.” The indictment says he bought and distributed petrol to burn down the church while refugees were inside. Kayishema and others are also accused of using a bulldozer to collapse the church following the fire, while refugees were still inside.
The former priest at the church, Athanase Seromba, was convicted over the massacre in 2006 and sentenced to 15 years in prison, which was later increased to a life sentence on appeal.
Kayishema is due to be arraigned on Friday in a Cape Town court.
A reward of up to $5,000,000 was offered by the US War Crimes Rewards Program for information on Kayishema and the other fugitives wanted for perpetrating the Rwandan genocide.
With the arrest of Kayishema, the UN is still seeking three more prominent suspects.
In 2020, another fugitive was captured in a Paris suburb after more than 20 years on the run.
Félicien Kabuga, “one of the world’s most wanted fugitives,” who is alleged to have been a leading figure in the genocide, was arrested in a joint operation with French authorities.
The Rwandan genocide saw Hutu militias and civilians alike murder vast numbers of members of the Tutsi ethnic minority: men, women and children, many of whom had been their neighbors before the conflict began.
The killings finally came to an end 100 days later, when Rwandan Patriotic Front (RPF) troops, led by Paul Kagame, defeated the Hutu rebels and took control of the country.
Don't Miss
CNN
—
It is one of China’s most popular shopping apps, selling clothing, groceries and just about everything else under the sun to more than 750 million users a month.
But according to cybersecurity researchers, it can also bypass users’ cell phone security to monitor activities on other apps, check notifications, read private messages and change settings.
And once installed, it’s tough to remove.
While many apps collect vast troves of user data, sometimes without explicit consent, experts say e-commerce giant Pinduoduo has taken violations of privacy and data security to the next level.
In a detailed investigation, CNN spoke to half a dozen cybersecurity teams from Asia, Europe and the United States — as well as multiple former and current Pinduoduo employees — after receiving a tipoff.
Multiple experts identified the presence of malware on the Pinduoduo app that exploited vulnerabilities in Android operating systems. Company insiders said the exploits were utilized to spy on users and competitors, allegedly to boost sales.
“We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things that they’re not supposed to gain access to,” said Mikko Hyppönen, chief research officer at WithSecure, a Finnish cybersecurity firm.
“This is highly unusual, and it is pretty damning for Pinduoduo.”
Malware, short for malicious software, refers to any software developed to steal data or interfere with computer systems and mobile devices.
Evidence of sophisticated malware in the Pinduoduo app comes amid intense scrutiny of Chinese-developed apps like TikTok over concerns about data security.
Some American lawmakers are pushing for a national ban on the popular short-video app, whose CEO Shou Chew was grilled by Congress for five hours last week about its relations with the Chinese government.
The revelations are also likely to draw more attention to Pinduoduo’s international sister app, Temu, which is topping US download charts and fast expanding in other Western markets. Both are owned by Nasdaq-listed PDD, a multinational company with roots in China.
While Temu has not been implicated, Pinduoduo’s alleged actions risk casting a shadow over its sister app’s global expansion.
There is no evidence that Pinduoduo has handed data to the Chinese government. But as Beijing enjoys significant leverage over businesses under its jurisdiction, there are concerns from US lawmakers that any company operating in China could be forced to cooperate with a broad range of security activities.
The findings follow Google’s suspension of Pinduoduo from its Play Store in March, citing malware identified in versions of the app.
An ensuing report from Bloomberg said a Russian cybersecurity firm had also identified potential malware in the app.
Pinduoduo has previously rejected “the speculation and accusation that Pinduoduo app is malicious.”
CNN has contacted PDD multiple times over email and phone for comment, but has not received a response.
Pinduoduo, which boasts a user base that accounts for three quarters of China’s online population and a market value three times that of eBay
(EBAY), wasn’t always an online shopping behemoth.
Founded in 2015 in Shanghai by Colin Huang, a former Google employee, the startup was fighting to establish itself in a market long dominated by e-commerce stalwarts Alibaba
(BABA) and JD.com
(JD).
It succeeded by offering steep discounts on friends-and-family group buying orders and focusing on lower-income rural areas.
Pinduoduo posted triple digit growth in monthly users until the end of 2018, the year it listed in New York. By the middle of 2020, though, the increase in monthly users had slowed to around 50% and would continue to decline, according to its earnings reports.
It was in 2020, according to a current Pinduoduo employee, that the company set up a team of about 100 engineers and product managers to dig for vulnerabilities in Android phones, develop ways to exploit them — and turn that into profit.
According to the source, who requested anonymity for fear of reprisals, the company only targeted users in rural areas and smaller towns initially, while avoiding users in megacities such as Beijing and Shanghai.
“The goal was to reduce the risk of being exposed,” they said.
By collecting expansive data on user activities, the company was able to create a comprehensive portrait of users’ habits, interests and preferences, according to the source.
This allowed it to improve its machine learning model to offer more personalized push notifications and ads, attracting users to open the app and place orders, they said.
The team was disbanded in early March, the source added, after questions about their activities came to light.
PDD didn’t reply to CNN’s repeated requests for comment on the team.
Approached by CNN, researchers from Tel Aviv-based cyber firm Check Point Research, Delaware-based app security startup Oversecured and Hyppönen’s WithSecure conducted independent analysis of the 6.49.0 version of the app, released on Chinese app stores in late February.
Google Play is not available in China, and Android users in the country download their apps from local stores. In March, when Google suspended Pinduoduo, it said it had found malware in off-Play versions of the app.
The researchers found code designed to achieve “privilege escalation”: a type of cyberattack that exploits a vulnerable operating system to gain a higher level of access to data than it’s supposed to have, according to experts.
“Our team has reverse engineered that code and we can confirm that it tries to escalate rights, tries to gain access to things normal apps wouldn’t be able to do on Android phones,” said Hyppönen.
The app was able to continue running in the background and prevent itself from being uninstalled, which allowed it to boost its monthly active user rates, Hyppönen said. It also had the ability to spy on competitors by tracking activity on other shopping apps and getting information from them, he added.
Check Point Research additionally identified ways in which the app was able to evade scrutiny.
The app deployed a method that allowed it to push updates without an app store review process meant to detect malicious applications, the researchers said.
They also identified in some plug-ins the intent to obscure potentially malicious components by hiding them under legitimate file names, such as Google’s.
“Such a technique is widely used by malware developers that inject malicious code into applications that have legitimate functionality,” they said.
Android targeted
In China, about three quarters of smartphone users are on the Android system. Apple
(AAPL)’s iPhone has 25% market share, according to Daniel Ives of Wedbush Securities.
Sergey Toshin, the founder of Oversecured, said Pinduoduo’s malware specifically targeted different Android-based operating systems, including those used by Samsung, Huawei, Xiaomi and Oppo.
CNN has reached out to these companies for comment.
Toshin described Pinduoduo as “the most dangerous malware” ever found among mainstream apps.
“I’ve never seen anything like this before. It’s like, super expansive,” he said.
Most phone manufacturers globally customize the core Android software, the Android Open Source Project (AOSP), to add unique features and applications to their own devices.
Toshin found Pinduoduo to have exploited about 50 Android system vulnerabilities. Most of the exploits were tailor made for customized parts known as the original equipment manufacturer (OEM) code, which tends to be audited less often than AOSP and is therefore more prone to vulnerabilities, he said.
Pinduoduo also exploited a number of AOSP vulnerabilities, including one which was flagged by Toshin to Google in February 2022. Google fixed the bug this March, he said.
According to Toshin, the exploits allowed Pinduoduo access to users’ locations, contacts, calendars, notifications and photo albums without their consent. They were also able to change system settings and access users’ social network accounts and chats, he said.
Of the six teams CNN spoke to for this story, three did not conduct full examinations. But their primary reviews showed that Pinduoduo asked for a large number of permissions beyond the normal functions of a shopping app.
They included “potentially invasive permissions” such as “set wallpaper” and “download without notification,” said René Mayrhofer, head of the Institute of Networks and Security at the Johannes Kepler University Linz in Austria.
Disbanding the team
Suspicions about malware in Pinduoduo’s app were first raised in late February in a report by a Chinese cybersecurity firm called Dark Navy. Even though the analysis didn’t directly name the shopping giant, the report spread quickly among other researchers, who did name the company. Some of the analysts followed up with their own reports confirming the original findings.
Soon after, on March 5, Pinduoduo issued a new update of its app, version 6.50.0, which removed the exploits, according to two experts who CNN spoke to.
Two days after the update, Pinduoduo disbanded the team of engineers and product managers who had developed the exploits, according to the Pinduoduo source.
The next day, team members found themselves locked out of Pinduoduo’s bespoke workplace communication app, Knock, and lost access to files on the company’s internal network. Engineers also found their access to big data, data sheets and the log system revoked, the source said.
Most of the team were transferred to work at Temu. They were assigned to different departments at the subsidiary, with some working on marketing or developing push notifications, according to the source.
A core group of about 20 cybersecurity engineers who specialize in finding and exploiting vulnerabilities remain at Pinduoduo, they said.
Toshin of Oversecured, who looked into the update, said although the exploits were removed, the underlying code was still there and could be reactivated to carry out attacks.
Pinduoduo has been able to grow its user base against a backdrop of the Chinese government’s regulatory clampdown on Big Tech that began in late 2020.
That year, the Ministry of Industry and Information Technology launched a sweeping crackdown on apps that illegally collect and use personal data.
In 2021, Beijing passed its first comprehensive data privacy legislation.
The Personal Information Protection Law stipulates that no party should illegally collect, process or transmit personal information. They’re also banned from exploiting internet-related security vulnerabilities or engaging in actions that endanger cybersecurity.
Pinduoduo’s apparent malware would be a violation of those laws, tech policy experts say, and should have been detected by the regulator.
“This would be embarrassing for the Ministry of Industry and Information Technology, because this is their job,” said Kendra Schaefer, a tech policy expert at Trivium China, a consultancy. “They’re supposed to check Pinduoduo, and the fact that they didn’t find (anything) is embarrassing for the regulator.”
The ministry has regularly published lists to name and shame apps found to have undermined user privacy or other rights. It also publishes a separate list of apps that are removed from app stores for failing to comply with regulations.
Pinduoduo did not appear on any of the lists.
CNN has reached out to the Ministry of Industry and Information Technology and the Cyberspace Administration of China for comment.
On Chinese social media, some cybersecurity experts questioned why regulators haven’t taken any action.
“Probably none of our regulators can understand coding and programming, nor do they understand technology. You can’t even understand the malicious code when it’s shoved right in front of your face,” a cybersecurity expert with 1.8 million followers wrote last week in a viral post on Weibo, a Twitter-like platform.
The post was censored the next day.
Don't Miss
New Delhi
CNN
—
India will overtake China this year to become the world’s most populous country.
The likelihood of India passing that major milestone within a few months shot up Tuesday, when China reported that its population shrank in 2022 for the first time in more than 60 years.
This shift will have significant economic implications for both Asian giants, which have more than 1.4 billion residents each.
Along with the population data, China also reported one of its worst economic growth numbers in nearly half a century, underscoring the steep challenges the country faces as its labor force shrinks and the ranks of the retired swell.
For India, what economists and analysts call the “demographic dividend” could continue to support rapid growth as the number of healthy workers increases.
There are fears the country might miss out, however. That’s because India is simply not creating employment opportunities for the millions of young job seekers already entering the workforce every year.
The South Asian nation’s working-age population stands at over 900 million, according to 2021 data from the Organization for Economic Cooperation and Development (OECD). This number is expected to hit more than 1 billion over the next decade, according to the Indian government.
But these numbers could become a liability if policymakers do not create enough jobs, experts warned. Already, data show a growing number of Indians are not even looking for work, given the lack of opportunities and low wages.
India’s labor force participation rate, an estimation of the active workforce and people looking for work, stood at 46%, which is among the lowest in Asia, according to 2021 data from the World Bank. By comparison, the rates for China and the United States stood at 68% and 61% respectively in the same year.
For women, the numbers are even more alarming. India’s female work participation rate was just 19% in 2021, down from about 26% in 2005, the World Bank data shows.
“India is sitting on a time bomb,” Chandrasekhar Sripada, professor of organizational behavior at the Indian School of Business, told CNN. “There will be social unrest if it cannot create enough employment in a relatively short period of time.”
India’s unemployment rate in December stood at 8.3%, according to the Centre for Monitoring Indian Economy (CMIE), an independent think tank headquartered in Mumbai, which publishes job data more regularly than the Indian government. In contrast, the US rate was about 3.5% at the end of last year.
“India has the world’s largest youth population … There is no dearth of capital in the world today,” Mahesh Vyas, the CEO of CMIE, wrote in a blog post last year. “Ideally, India should be grabbing this rare opportunity of easy availability of labor and capital to fuel rapid growth. However, it seems to be missing this bus.”
Lack of high quality education is one of the biggest reasons behind India’s unemployment crisis. There has been a “massive failure at the education level” by policymakers, said Sripada, adding that Indian institutions emphasize “rote-learning” over “creative thinking.”
As a result of this toxic combination of poor education and lack of jobs, thousands of college graduates, including those with doctorates, end up applying for lowly government jobs, such as those of “peons” or office boys, which pay less than $300 a month.
The good news is that policymakers have recognized this problem and started putting “reasonable emphasis on skill creation now,” Sripada said. But it will be years before the impact of new policies can be seen, he added.
Asia’s third largest economy also needs to create more non-farm jobs to realize its full economic potential. According to recent government data, more than 45% of the Indian workforce is employed in the agriculture sector.
The country needs to create at least 90 million new non-farm jobs by 2030 to absorb new workers, according to a 2020 report by McKinsey Global Institute. Many of these jobs can be created in the manufacturing and constructions sectors, experts said.
As tensions between China and the West rise, India has made some progress in boosting manufacturing by attracting international giants such as Apple to produce more in the country. But, factories still constitute only 14% of India’s GDP, according to the World Bank.
With a 6.8% expansion in GDP forecast for this fiscal year ending March, the South Asian nation is expected to be the world’s fastest growing major economy. But, according to a former central banker, even this growth is “insufficient.”
“A lot of this growth is jobless growth. Jobs are essentially task one for the economy. We don’t need everybody to be a software programmer or consultant but we need decent jobs,” Raghuram Rajan, the former governor of the Reserve Bank of India, told media company NDTV, last year.
According to the Mckinsey report, for “gainful and productive employment growth of this magnitude, India’s GDP will need to grow by 8.0% to 8.5% annually over the next decade.”
Don't Miss
Editor’s Note — Sign up for Unlocking the World, CNN Travel’s weekly newsletter. Get news about destinations opening and closing, inspiration for future adventures, plus the latest in aviation, food and drink, where to stay and other travel developments.
(CNN) — The hospitality industry is back in full swing and the last couple of years have seen a host of exciting new hotels and spas open around the world.
Some of the most spectacular new designs have been honored by architecture and design magazine Dezeen, which has just released its awards shortlist for 2022.
The shortlisted projects have been selected from over 5,000 entries from more than 90 countries, but the top three entering countries are the US, the UK and China. The hotels and spas that have make their mark in the interiors and architecture categories have had a strong showing from Europe and North America — particularly Mexico.
Here are seven of the best-designed new hotels and spas for 2022, according to Dezeen. The finalists will be announced in November this year.
Bath & Barley (Brussels, Belgium)
Beer spas — bathing in tubs of hops, herbs and water — have long been a tradition in the Czech Republic, but despite its beer-making history, Bath & Barley is the first ever beer spa to open in Belgium.
Antwerp design agency WeWantMore had an excellent template to work with: A centuries-old building in Brussels’ old city center, with a stunning vaulted cellar. The refurb uses heritage materials such as copper, grain and stained glass, creating a relaxing space for visitors to soak in the wooden baths, before trying one of the draft beers on tap.
Schwan Locke (Munich, Germany)
Easily the most stylish way to do Munich’s Oktoberfest — the Theresienwiese grounds are just a few minutes away — is a hotel-home hybrid, featuring 151 spacious studio apartments.
The shared living spaces include a gym, a co-working space, a coffee shop, retail, and the BAMBULE! restaurant-bar, helmed by the team behind local Michelin-starred restaurant Mural.
The Hoxton Poblenou (Barcelona, Spain)
The Hoxton chain opened its 11th hotel — and first Spanish outpost — in Barcelona earlier this year.
The Ennismore design team took inspiration from the late Spanish architect Ricardo Bofill, who was known for his use of geometric forms.
The 240-room hotel features a rooftop pool and taqueria, as well as a pizza terrace and slice shop.
Downtown LA Proper Hotel (Los Angeles, California)
Downtown LA Proper Hotel has been a buzzing venue since the 1920s.
Kelly Wearstler
A historic 1920s building gets a playful modern makeover in this 148-room in Downtown LA. Latin American and Moroccan influences are in effect in the frescoes and finishings, with site-specific installations by local contemporary artists Abel Macias, Ben Medansky, Morgan Peck, and Judson Studios.
The rooftop pool features city-wide views, but if you want the waters all to yourself, there’s always the Pool Suite, with a private full-sized indoor swimming pool.
Casona Sforza (Puerto Escondido, Mexico)
This adults-only resort opened in Oaxaca in 2020 and architect Alberto Kalach’s building is a truly remarkable design.
The 11 vaulted suites feature tropical woods, natural materials and neutral colors, and each boast panoramic views of the azure sea beyond. A true balance of design and nature.
Casona Sforza, La barra Santa María Colotepec, 70934 Puerto Escondido, Oaxaca, Mexico
Hotel Terrestre (Puerto Escondido, Mexico)
Also in the port town of Puerto Escondido, Hotel Terrestre is a 100% solar powered boutique hotel constructed of local materials including concrete, white mud brick, “maqui” wood and natural pine wood.
The building is tucked away in a garden paradise of rich vegetation, and each room comes with its own outdoor shower and private garden of sand and flowers.
Hotel Terrestre, Carretera Salina Cruz- Pinotepa, 71983 Puerto Escondido, Oaxaco, Mexico
Valle San Nicolás Clubhouse (Valle de Bravo, Mexico)
Sordo Madaleno Arquitectos are the team behind this clubhouse for a residential development in Mexico’s Valle de Bravo.
The town is a center for water sports and this circular building makes the most of its lake and mountainside location.
The concept for the structure is a boat anchored in the lake, and floating on the water.
Don't Miss
