We have a mobile application that acts as a shopping mall - users register in our application (so we process their personal data), and we have various shops that offer their products and services through our application. Once a user wants to purchase a product/service, we process the payment through the payment processor, and forward the personal data of the user to this shop so that the shop can deliver the product/service directly to the user.
So the question is: are we joint controllers with these shops according to GDPR?
It depends on how you intend to structure the application and how data will be processed.
If you decide how data will be processed by the app you can be the data controller of data of users, while the shop will be the data controller of the users who purchased something on their shop for their own purposes (i.e., billing, shipping, marketing), then, you may be separate controllers (you of the app, seller of the single mall), instead, if data are connected and jointly determine how data will be processed then you will be joint controllers.
Here you can find more information on data controller: