Shopping App Temu Is 'Dangerous Malware,' Spying On Your Texts, Lawsuit Claims (arstechnica.com) 81
An anonymous reader quotes a report from Ars Technica: Temu -- the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it -- is "dangerous malware" that's secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit (PDF) filed Tuesday. Griffin cited research and media reports exposing Temu's allegedly nefarious design, which "purposely" allows Temu to "gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications."
"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place." Griffin fears that Temu is capable of accessing virtually all data on a person's phone, exposing both users and non-users to extreme privacy and security risks. It appears that anyone texting or emailing someone with the shopping app installed risks Temu accessing private data, Griffin's suit claimed, which Temu then allegedly monetizes by selling it to third parties, "profiting at the direct expense" of users' privacy rights. "Compounding" risks is the possibility that Temu's Chinese owners, PDD Holdings, are legally obligated to share data with the Chinese government, the lawsuit said, due to Chinese "laws that mandate secret cooperation with China's intelligence apparatus regardless of any data protection guarantees existing in the United States."
Griffin's suit cited an extensive forensic investigation into Temu by Grizzly Research -- which analyzes publicly traded companies to inform investors -- last September. In their report, Grizzly Research alleged that PDD Holdings is a "fraudulent company" and that "Temu is cleverly hidden spyware that poses an urgent security threat to United States national interests." As Griffin sees it, Temu baits users with misleading promises of discounted, quality goods, angling to get access to as much user data as possible by adding addictive features that keep users logged in, like spinning a wheel for deals. Meanwhile hundreds of complaints to the Better Business Bureau showed that Temu's goods are actually low-quality, Griffin alleged, apparently supporting his claim that Temu's end goal isn't to be the world's biggest shopping platform but to steal data. Investigators agreed, the lawsuit said, concluding "we strongly suspect that Temu is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure." Seeking an injunction to stop Temu from allegedly spying on users, Griffin is hoping a jury will find that Temu's alleged practices violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act. If Temu loses, it could be on the hook for $10,000 per violation of the ADTPA and ordered to disgorge profits from data sales and deceptive sales on the app. In a statement to Ars, a Temu spokesperson discredited Grizzly Research's investigation and said that the company was "surprised and disappointed by the Arkansas Attorney General's Office for filing the lawsuit without any independent fact-finding."
"The allegations in the lawsuit are based on misinformation circulated online, primarily from a short-seller, and are totally unfounded," Temu's spokesperson said. "We categorically deny the allegations and will vigorously defend ourselves."
"We understand that as a new company with an innovative supply chain model, some may misunderstand us at first glance and not welcome us. We are committed to the long-term and believe that scrutiny will ultimately benefit our development. We are confident that our actions and contributions to the community will speak for themselves over time." Last year, Temu was the most downloaded app in the U.S. and has only become more popular as reports of security and privacy risks have come out.
"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place." Griffin fears that Temu is capable of accessing virtually all data on a person's phone, exposing both users and non-users to extreme privacy and security risks. It appears that anyone texting or emailing someone with the shopping app installed risks Temu accessing private data, Griffin's suit claimed, which Temu then allegedly monetizes by selling it to third parties, "profiting at the direct expense" of users' privacy rights. "Compounding" risks is the possibility that Temu's Chinese owners, PDD Holdings, are legally obligated to share data with the Chinese government, the lawsuit said, due to Chinese "laws that mandate secret cooperation with China's intelligence apparatus regardless of any data protection guarantees existing in the United States."
Griffin's suit cited an extensive forensic investigation into Temu by Grizzly Research -- which analyzes publicly traded companies to inform investors -- last September. In their report, Grizzly Research alleged that PDD Holdings is a "fraudulent company" and that "Temu is cleverly hidden spyware that poses an urgent security threat to United States national interests." As Griffin sees it, Temu baits users with misleading promises of discounted, quality goods, angling to get access to as much user data as possible by adding addictive features that keep users logged in, like spinning a wheel for deals. Meanwhile hundreds of complaints to the Better Business Bureau showed that Temu's goods are actually low-quality, Griffin alleged, apparently supporting his claim that Temu's end goal isn't to be the world's biggest shopping platform but to steal data. Investigators agreed, the lawsuit said, concluding "we strongly suspect that Temu is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure." Seeking an injunction to stop Temu from allegedly spying on users, Griffin is hoping a jury will find that Temu's alleged practices violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act. If Temu loses, it could be on the hook for $10,000 per violation of the ADTPA and ordered to disgorge profits from data sales and deceptive sales on the app. In a statement to Ars, a Temu spokesperson discredited Grizzly Research's investigation and said that the company was "surprised and disappointed by the Arkansas Attorney General's Office for filing the lawsuit without any independent fact-finding."
"The allegations in the lawsuit are based on misinformation circulated online, primarily from a short-seller, and are totally unfounded," Temu's spokesperson said. "We categorically deny the allegations and will vigorously defend ourselves."
"We understand that as a new company with an innovative supply chain model, some may misunderstand us at first glance and not welcome us. We are committed to the long-term and believe that scrutiny will ultimately benefit our development. We are confident that our actions and contributions to the community will speak for themselves over time." Last year, Temu was the most downloaded app in the U.S. and has only become more popular as reports of security and privacy risks have come out.
Gotta make money somehow (Score:1)
Temu has to make money somehow... they sell cool junk amazingly cheaply. That can't possibly be profitable.
So what are they doing to make money? Is it nefarious? I don't know... but it's plausible.
Now prove it. Or don't... it is an election year, so lots of unsubstantiated claims being slung around.
Um... slave labor (Score:2)
It's weird that we're worried about them spying on us and not the massive amount of human rights abuses...
Re: (Score:2)
It's weird that we're worried about them spying on us and not the massive amount of human rights abuses...
Probably because stopping the spying is much easier than solving the human rights issues of a sovereign nation. Are you suggesting we bring some "freedom" to China?
Re: (Score:1)
Re: (Score:2)
seriously. There is no way in heck they're not using slave labor. .
Why should they use "slave labor"? They use the famous Chinese "996" work system, which means their staff works from 9am till 9pm, 6 days per week. This is as good as any "slave labor", plus in China it's considered patriotic.
Now, about the things they sell, some of them are certainly created with slave labor.
Re: (Score:2)
That can't possibly be profitable.
They're not selling name brand stuff at low prices, it's all Chinese no-name products. If you've ever been to a Harbor Freight Tools store, you're already familiar with exactly how that works. Everything is generic Chinese crap with some imaginary inflated price that your "savings" is calculated from.
Re:Gotta make money somehow (Score:5, Insightful)
The ironic is that if you buy from Temu, you get cheap, Chinese stuff. However, if you buy from a more well known merchant US-side, you get the same Chinese stuff, but it isn't cheap.
Might as well cut out the middleman and pocket the savings yourself. Same with AliExpress and if you know what you are doing, Taobao.
Re: (Score:3)
It's very rare for shops in the UK to be selling dangerous goods, even if they're cheaply made in China. Buying mains or Li-ion powered stuff on Temu is a much more exciting proposition.
https://www.which.co.uk/news/a... [which.co.uk]
Might as well cut out the middleman and pocket the savings yourself.
the middle men have local skin in the game and in most cases make sure they're even vaguely compliant with safety regs.
Re: Gotta make money somehow (Score:1)
Temu is like the Etsy for industrial manufacturing though. If someone somewhere thought of it they will try to make a cheap copy of it, or if it is rejected from whatever QA process, they will resell it.
And they donâ(TM)t care what they sell as long as it moves product overseas, the long ship times and delays however means that by the time you get the product the window for refunds has closed.
In most cases Temu is a scam, at best you get some stuff places like Harbor Freight have rejected for quality i
Re: (Score:2)
I draw the line at talking shit about HFT.
Posting AC really shows just how passionate you are about Harbor Freight Tools.
Re: (Score:2)
Sounds like somebody has a crush!
Re: Gotta make money somehow (Score:1)
Re: (Score:2)
Fake it option ? (Score:5, Interesting)
Re:Fake it option ? (Score:5, Insightful)
Re:Fake it option ? (Score:5, Informative)
iPhone's iOS location privacy options are annoying. They need more options like deny once during ask me, allow/deny for specific time limits, etc. I want more options.
Re:Fake it option ? (Score:5, Interesting)
The ironic thing is that there used to be an app called xPrivacy which did exactly this for Android. Mic? It would get static. Location? You can set a location, have it move around. Contacts? It would make a jumbled list. Music? Random songs. Camera? Hope you like static footage. This was really useful for fleshlight apps that wanted every single permission under the sun, and wouldn't work otherwise.
Miss the days where one could actually hack privacy into Android with that, as well as kernel-level outgoing firewalling, so obvious bad sites could not be contacted.
Re: Fake it option ? (Score:2)
Re: (Score:3)
Your FleshLight app needed all those permissions to work??
So FleshLight now has a side business of screenshot porn?
LOL
Thank you for the laugh today.
Re: (Score:2)
You can still fake your location. You have to enable it in developer options, and then install an app that provides fake data.
For contacts you can use Shelter or Android 15's new built in support for sandboxing apps.
That said, almost every phone has had built in support for flashlight mode for a decade. You can usually add it to the notification shade menu. You shouldn't need an app for that. Unless you did really mean fleshlight and are talking about some kind of masturbation aid.
Re: Fake it option ? (Score:1)
Re: Fake it option ? (Score:2)
There are actually apps (for Android at least) that allow you to do exactly that. Not in the Google store though. Look up "mock my gps". My favorite location to hang in is the North pole.
Re: Fake it option ? (Score:2)
/e/OS makes faking location way easy, and the roadmap has toggling individual apps to fake location for, like one gets to choose which apps to route via tor.
https://doc.e.foundation/suppo... [doc.e.foundation]
Location is one thing, all the other permissions look like a whole other ballpark. Might be a thing for apps confined to in the "work profile" maybe?
Re: (Score:2)
Android has that feature.
You can use it via an open source app called Shelter, which silos apps off under the "work profile". Just don't add any contacts to it and any app running there gets an empty list.
Android 15 is adding built in support for it, or rather a UI to make a longstanding feature accessible.
Re: (Score:2)
Because this would violate the rights of the author of the flashlight app. Perhaps your GPS position in monetized to fund the app development. If you have problems with giving your flashlight app your GPS position, then just use another flashlight app. Nobody forces you to use this particular flashlight app.
Re: (Score:2)
This is how it was on Blackberry, I miss it every day.
Apps should not know if they were denied access.
The whole 'direct from China' model has to go. (Score:5, Insightful)
Since no laws need following, it also drives American brick and mortar retail further into the ground since they have to actually follow laws and pay taxes.
Apple iOS does not allow that (Score:5, Interesting)
Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place
Apple iOS does not allow such recompilation.
Re:Apple iOS does not allow that (Score:4, Funny)
yeah, well... neither does Android.
Re: (Score:2)
Even Windows doesn't... not that there is any Temu app for Windows, no?
Re:Apple iOS does not allow that (Score:4, Insightful)
what even is that? if it sounds like bullshit, smells like bullshit and looks like bullshit ...
Re: (Score:2)
what even is that? if it sounds like bullshit, smells like bullshit and looks like bullshit ...
An app cannot introduce new code by (re)compiling something. All code must be in place at review time. Data that new code needs may be downloaded at runtime.
Re:Apple iOS does not allow that (Score:5, Insightful)
by (re)compiling something
i want to see a proof of concept of that.
there are indeed ways to (try to) inject code on a phone, recompiling is not one of them. afaik, but i'd love to be proven wrong. until that point, i told you: it absolutely smells like bullshit because it is bullshit. try to even make sense of the sources of this tripe.
Re:Apple iOS does not allow that (Score:5, Informative)
Re: (Score:3)
Android apps can't modify their code under normal circumstances. It's possible but requires the user to authorize the app to install apps itself, since the modification can only take place on an APK, not on a running app. And then the user also has to authorize the installation of that specific app. By default Google Play blocks modified executables from being installed even after the user confirms installation, with a further few taps required to get through the scary warning messages.
It's a basic security
Re: (Score:2)
Android apps can't modify their code under normal circumstances. It's possible but requires the user to authorize the app to install apps itself, since the modification can only take place on an APK, not on a running app. And then the user also has to authorize the installation of that specific app.
And on iOS no such thing is allowed at all. All code must have gone through the approval process's examination and come from the App Store. Perhaps such a second app is what the author meant as recompile.
Re: (Score:2)
Yeah I think maybe they mean something like interpreting the code or downloading code and JIT'ing it. It's also very likely that Apple themselves isn't even sure exactly what they mean there, they just know there's a whole weird can of worms that can kinda sorta be called re/compiling so it's there if they wanna kick you off the store.
Also it covers a lot of threats that might be difficult to prove, like say you have an updater and a game scripting engine that's interpreted as part of your app. You could
Re: Apple iOS does not allow that (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Apple iOS does not allow that (Score:4, Interesting)
Because Apple thinks its end users are idiots and doesn't allow them to do a lot of things that are both possible and commonplace on Android. Like have a fully functional file browser or replace provided applications with their preferred version.
Re: (Score:1)
Hear hear! Heck, iOS users have to work extra hard to even join botnets!
Re: (Score:2)
Because you didn't think the alternatives were cool enough.
For privacy and productivity, you couldn't get any better than Blackberry. BB10 (QNX) was also just about the best mobile OS around. Both iOS and Android are still playing catch-up.
But it wasn't cool, so all the tech bros shouted 'it's dying, it's dying' even as it outsold Apple quarter after quarter ... until 2013, when Apple finally pulled ahead.
FirefoxOS had a lot of potential, but it died with boot2gecko. A real shame, given how open it was.
Re:Apple iOS does not allow that (Score:5, Interesting)
Apple iOS does not allow such recompilation.
It's worth mentioning that when Apple implemented stronger privacy protections on iOS, Meta whined about it quite loudly. [forbes.com] I'd say it's a very safe assumption that Temu can't get their snoop on under iOS, and that this is entirely an Android problem. The real story here is that yet again Google really doesn't give a shit about protecting their users' privacy.
Re:Apple iOS does not allow that (Score:4, Informative)
According to Griffin, the same concerns that got Pinduoduo suspended last year remain today for Temu users, but the App Store and Google Play have allegedly failed to take action to prevent unauthorized access to user data.
If the claim is correct, both Apple and Google failed to protect the phone users.
Re: (Score:3)
either Temu is flagrantly exploiting zero day vulnerabilities in both IOS and Android or it's getting access by asking (spam your friends text messages to get 50 cents off!) which is more likely?
Re: (Score:3)
The claim is that it "recompiles ityself" which makes no fucking sense so it's probably safe to assume the claims are at least 3/4 bullshit.
What the original author referred to as recompiling is what the more technically inclined would have referred to as code generation, and/or self-modifying code.
Re: (Score:2)
What the original author referred to as recompiling is what the more technically inclined would have referred to as code generation, and/or self-modifying code.
Both of which are impossible on Android. Executable code in memory is read-only, and data has the no-execute flag set. Set by the OS, they cannot be overridden by apps.
Re: Apple iOS does not allow that (Score:2)
App Focus was Always Shady (Score:5, Interesting)
I've occasionally seen ads from Temu and clicked around just to see what they were offering. But everything comes back to demanding you install the app. It's fine if a retailer encourages you to use their app, but it seemed like there were a lot of items they demanded you download their app to purchase. That was a red flag to me. A retailer who wants to sell you a product shouldn't care if you order it through the app or their website. It seemed like they were more interested in you downloading the app than buying anything. It all makes perfect sense if the app is spyware.
Re: (Score:2)
You stated my thoughts perfectly as well.
Re: (Score:3)
Re: (Score:2)
I've never clicked on a Temu ad. I still don't quite get who or what they are but the ads and numbers were so suspect, plus they were usually wrapped in a Taboola frame.
Re: (Score:2)
Re:apps (Score:5, Insightful)
Re: (Score:2)
Re: (Score:1)
Companies wonder why people do not want to install their apps.
No, they don't wonder this, I would imagine, because most people just do what their device tells them. "Download the app and give it all requested permissions, to save money? Why not?!"
Re: (Score:2)
Friggin' grocery stores are pushing their apps in order to get sale prices now.
I avoid those stores so it works in the opposite direction.
Screw 'em.
Blackmail, Behind Pipes, WR 3, Victoria Station (Score:2)
Temu never works for me (Score:3)
Every once in a while, I will see one of their ads with something interesting on it so I click. Then I just get some spinning wheel of death and never get to the product page. I just close the window.
It's rare I click on an ad, but when I do, it would be nice if it would fucking work.
Re: (Score:2)
Silly you, that "spinning wheel of death" is informing you to wait while your device's contents are downloaded. You're not waiting long enough.
Re: (Score:2)
Yeah. I don't have the patience for that shit.
I really wanted to buy one of those "launch rockets" cigarette lighter things too. Oh well.
Re: (Score:2)
Then I just get some spinning wheel of death and never get to the product page.
If you weren't getting the spinning wheel of death, you'd be getting the spinning wheel of fake discounts. Who doesn't want 70% off a "$1,400" self propelled electric push lawn mower from some manufacturer you've never heard of? Never mind that Walmart sells basically the same damn thing for slightly cheaper, and they're likely to actually honor the product's warranty.
Re: (Score:2)
Maybe (Score:2)
I would not be surprised if Temu were indeed this bad, but Grizzly Research LLC also looks a bit sus in my opinion. The report [grizzlyreports.com] is written in a very sensational style with dollops of hyperbole.
Hey (Score:2)
American tech companies! You keep laying off those Americans. Things will turn around for you any minute now.
Excellent (Score:2)
Just put a bunch of Taiwan listings in your contacts, your pictures, and elsewhere. It will either pollute their system or raise questions with the directorate. Or both.
"the Chinese shopping app" (Score:2)
Gee, I wonder why it's malware? Hmm...
Um... (Score:2)
Duh?
People are too willing to install apps when asked (Score:2)
If an app is just a app-ized website - be it Temu, Facebook, or Twitter - it's typically a bad idea to use it. All you're doing is giving that entity the chance to hoover up even more of your personal data.
Stick with the web interface, and use something other than Chrome to view the site.
So it's modeled on the Facebook app, hey? (Score:1)
duh (Score:2)
I thought everyone knew this.
Bullshit alert (Score:3)
It seems like it's just another attempt at extortion and/or stock manipulation.
Usual situation (Score:2)
Chinese owners, PDD Holdings, are legally obligated to share data with the Chinese government, the lawsuit said, due to Chinese "law
Exactly the same situation GAFAM face with US Patriot Act and CLOUD Act.
Temu SNL (Score:1)