These fake apps were signed with the signing key of the official PinDuoDuo app. Until PinDuoDuo can explain how this signing key was "stolen" they are to blame for creating this malware.