Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security China

Shopping App Temu Is 'Dangerous Malware,' Spying On Your Texts, Lawsuit Claims (arstechnica.com) 81

An anonymous reader quotes a report from Ars Technica: Temu -- the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it -- is "dangerous malware" that's secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit (PDF) filed Tuesday. Griffin cited research and media reports exposing Temu's allegedly nefarious design, which "purposely" allows Temu to "gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications."

"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place." Griffin fears that Temu is capable of accessing virtually all data on a person's phone, exposing both users and non-users to extreme privacy and security risks. It appears that anyone texting or emailing someone with the shopping app installed risks Temu accessing private data, Griffin's suit claimed, which Temu then allegedly monetizes by selling it to third parties, "profiting at the direct expense" of users' privacy rights. "Compounding" risks is the possibility that Temu's Chinese owners, PDD Holdings, are legally obligated to share data with the Chinese government, the lawsuit said, due to Chinese "laws that mandate secret cooperation with China's intelligence apparatus regardless of any data protection guarantees existing in the United States."

Griffin's suit cited an extensive forensic investigation into Temu by Grizzly Research -- which analyzes publicly traded companies to inform investors -- last September. In their report, Grizzly Research alleged that PDD Holdings is a "fraudulent company" and that "Temu is cleverly hidden spyware that poses an urgent security threat to United States national interests." As Griffin sees it, Temu baits users with misleading promises of discounted, quality goods, angling to get access to as much user data as possible by adding addictive features that keep users logged in, like spinning a wheel for deals. Meanwhile hundreds of complaints to the Better Business Bureau showed that Temu's goods are actually low-quality, Griffin alleged, apparently supporting his claim that Temu's end goal isn't to be the world's biggest shopping platform but to steal data. Investigators agreed, the lawsuit said, concluding "we strongly suspect that Temu is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure." Seeking an injunction to stop Temu from allegedly spying on users, Griffin is hoping a jury will find that Temu's alleged practices violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act. If Temu loses, it could be on the hook for $10,000 per violation of the ADTPA and ordered to disgorge profits from data sales and deceptive sales on the app.
In a statement to Ars, a Temu spokesperson discredited Grizzly Research's investigation and said that the company was "surprised and disappointed by the Arkansas Attorney General's Office for filing the lawsuit without any independent fact-finding."

"The allegations in the lawsuit are based on misinformation circulated online, primarily from a short-seller, and are totally unfounded," Temu's spokesperson said. "We categorically deny the allegations and will vigorously defend ourselves."

"We understand that as a new company with an innovative supply chain model, some may misunderstand us at first glance and not welcome us. We are committed to the long-term and believe that scrutiny will ultimately benefit our development. We are confident that our actions and contributions to the community will speak for themselves over time." Last year, Temu was the most downloaded app in the U.S. and has only become more popular as reports of security and privacy risks have come out.
This discussion has been archived. No new comments can be posted.

Shopping App Temu Is 'Dangerous Malware,' Spying On Your Texts, Lawsuit Claims

Comments Filter:
  • Temu has to make money somehow... they sell cool junk amazingly cheaply. That can't possibly be profitable.

    So what are they doing to make money? Is it nefarious? I don't know... but it's plausible.

    Now prove it. Or don't... it is an election year, so lots of unsubstantiated claims being slung around.

    • seriously. There is no way in heck they're not using slave labor.

      It's weird that we're worried about them spying on us and not the massive amount of human rights abuses...
      • by SeaFox ( 739806 )

        It's weird that we're worried about them spying on us and not the massive amount of human rights abuses...

        Probably because stopping the spying is much easier than solving the human rights issues of a sovereign nation. Are you suggesting we bring some "freedom" to China?

        • "Are you suggesting we bring some "freedom" to China?" And ultimately this will lead to the whole world being free. Because when everything is in ruins and there are few people left alive in the world with no one else around to tell them what to do, everyone will be free. Who wouldn't want this?
      • by vbdasc ( 146051 )

        seriously. There is no way in heck they're not using slave labor. .

        Why should they use "slave labor"? They use the famous Chinese "996" work system, which means their staff works from 9am till 9pm, 6 days per week. This is as good as any "slave labor", plus in China it's considered patriotic.

        Now, about the things they sell, some of them are certainly created with slave labor.

    • That can't possibly be profitable.

      They're not selling name brand stuff at low prices, it's all Chinese no-name products. If you've ever been to a Harbor Freight Tools store, you're already familiar with exactly how that works. Everything is generic Chinese crap with some imaginary inflated price that your "savings" is calculated from.

      • by ctilsie242 ( 4841247 ) on Thursday June 27, 2024 @04:53PM (#64583677)

        The ironic is that if you buy from Temu, you get cheap, Chinese stuff. However, if you buy from a more well known merchant US-side, you get the same Chinese stuff, but it isn't cheap.

        Might as well cut out the middleman and pocket the savings yourself. Same with AliExpress and if you know what you are doing, Taobao.

        • It's very rare for shops in the UK to be selling dangerous goods, even if they're cheaply made in China. Buying mains or Li-ion powered stuff on Temu is a much more exciting proposition.

          https://www.which.co.uk/news/a... [which.co.uk]

          Might as well cut out the middleman and pocket the savings yourself.

          the middle men have local skin in the game and in most cases make sure they're even vaguely compliant with safety regs.

        • Temu is like the Etsy for industrial manufacturing though. If someone somewhere thought of it they will try to make a cheap copy of it, or if it is rejected from whatever QA process, they will resell it.

          And they donâ(TM)t care what they sell as long as it moves product overseas, the long ship times and delays however means that by the time you get the product the window for refunds has closed.

          In most cases Temu is a scam, at best you get some stuff places like Harbor Freight have rejected for quality i

      • You realize brand name stuff , is no brand stuff with a brand name on it? Right?
    • by EvilSS ( 557649 )
      If they really want to make money they should try throwing out "research" no one can seem to replicate and then short-selling right before releasing the "report"
  • Fake it option ? (Score:5, Interesting)

    by dargaud ( 518470 ) <<ten.duagradg> <ta> <2todhsals>> on Thursday June 27, 2024 @03:18PM (#64583449) Homepage
    When an app asks you for permission to do such and such, why aren't there 3 options: allow, disallow and 'fake it' so that the app doesn't know the data it receives is fake ? I don't want my flashlight app to know my GPS position, but if it refuses to work if I answer 'no', then I'm stuck. A 'fake it' option is necessary.
    • by buck-yar ( 164658 ) on Thursday June 27, 2024 @03:47PM (#64583525)
      That is a great idea but Google doesn't want to pollute their data, and they're probably more on the side of most advertising companies than you. This Temu thing will probably get addressed somehow but don't expect them to suddenly protect your privacy.
    • Re:Fake it option ? (Score:5, Informative)

      by antdude ( 79039 ) on Thursday June 27, 2024 @04:15PM (#64583587) Homepage Journal

      iPhone's iOS location privacy options are annoying. They need more options like deny once during ask me, allow/deny for specific time limits, etc. I want more options.

    • Re:Fake it option ? (Score:5, Interesting)

      by ctilsie242 ( 4841247 ) on Thursday June 27, 2024 @04:55PM (#64583685)

      The ironic thing is that there used to be an app called xPrivacy which did exactly this for Android. Mic? It would get static. Location? You can set a location, have it move around. Contacts? It would make a jumbled list. Music? Random songs. Camera? Hope you like static footage. This was really useful for fleshlight apps that wanted every single permission under the sun, and wouldn't work otherwise.

      Miss the days where one could actually hack privacy into Android with that, as well as kernel-level outgoing firewalling, so obvious bad sites could not be contacted.

      • I wrote an iOS app that wanted to use a QR code once and that wanted permissions for photos and camera. The last two you could refuse - obviously the app could then not take photos or videos. The QR code however needed camera permission. I would have preferred some specialised permission that lets you read _one_ QR code successfully and then self destroys.
      • Your FleshLight app needed all those permissions to work??
        So FleshLight now has a side business of screenshot porn?
        LOL
        Thank you for the laugh today.

      • by AmiMoJo ( 196126 )

        You can still fake your location. You have to enable it in developer options, and then install an app that provides fake data.

        For contacts you can use Shelter or Android 15's new built in support for sandboxing apps.

        That said, almost every phone has had built in support for flashlight mode for a decade. You can usually add it to the notification shade menu. You shouldn't need an app for that. Unless you did really mean fleshlight and are talking about some kind of masturbation aid.

    • On Apples App Store a flashlight app asking fr your location will not pass the review process. Iâ(TM)m curious how that will work for alternative app stores in Europe.
    • There are actually apps (for Android at least) that allow you to do exactly that. Not in the Google store though. Look up "mock my gps". My favorite location to hang in is the North pole.

      • /e/OS makes faking location way easy, and the roadmap has toggling individual apps to fake location for, like one gets to choose which apps to route via tor.

        https://doc.e.foundation/suppo... [doc.e.foundation]

        Location is one thing, all the other permissions look like a whole other ballpark. Might be a thing for apps confined to in the "work profile" maybe?

    • by AmiMoJo ( 196126 )

      Android has that feature.

      You can use it via an open source app called Shelter, which silos apps off under the "work profile". Just don't add any contacts to it and any app running there gets an empty list.

      Android 15 is adding built in support for it, or rather a UI to make a longstanding feature accessible.

    • by vbdasc ( 146051 )

      Because this would violate the rights of the author of the flashlight app. Perhaps your GPS position in monetized to fund the app development. If you have problems with giving your flashlight app your GPS position, then just use another flashlight app. Nobody forces you to use this particular flashlight app.

    • by poptix ( 78287 )

      This is how it was on Blackberry, I miss it every day.

      Apps should not know if they were denied access.

  • by Fly Swatter ( 30498 ) on Thursday June 27, 2024 @03:18PM (#64583451) Homepage
    It circumvents our consumer protection laws, but since apparently Amazon has been able to flaunt consumer protection laws now everyone wants in on fleecing the American consumer.

    Since no laws need following, it also drives American brick and mortar retail further into the ground since they have to actually follow laws and pay taxes.
  • by drnb ( 2434720 ) on Thursday June 27, 2024 @03:20PM (#64583461)

    Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place

    Apple iOS does not allow such recompilation.

    • by Local ID10T ( 790134 ) <ID10T.L.USER@gmail.com> on Thursday June 27, 2024 @03:24PM (#64583475) Homepage

      yeah, well... neither does Android.

    • by znrt ( 2424692 ) on Thursday June 27, 2024 @03:37PM (#64583505)

      what even is that? if it sounds like bullshit, smells like bullshit and looks like bullshit ...

      • by drnb ( 2434720 )

        what even is that? if it sounds like bullshit, smells like bullshit and looks like bullshit ...

        An app cannot introduce new code by (re)compiling something. All code must be in place at review time. Data that new code needs may be downloaded at runtime.

        • by znrt ( 2424692 ) on Thursday June 27, 2024 @04:32PM (#64583631)

          by (re)compiling something

          i want to see a proof of concept of that.

          there are indeed ways to (try to) inject code on a phone, recompiling is not one of them. afaik, but i'd love to be proven wrong. until that point, i told you: it absolutely smells like bullshit because it is bullshit. try to even make sense of the sources of this tripe.

          • by drnb ( 2434720 ) on Thursday June 27, 2024 @04:44PM (#64583665)
            What the original author referred to as recompiling is what the more technically inclined would have referred to as code generation, and/or self-modifying code.
            • by AmiMoJo ( 196126 )

              Android apps can't modify their code under normal circumstances. It's possible but requires the user to authorize the app to install apps itself, since the modification can only take place on an APK, not on a running app. And then the user also has to authorize the installation of that specific app. By default Google Play blocks modified executables from being installed even after the user confirms installation, with a further few taps required to get through the scary warning messages.

              It's a basic security

              • by drnb ( 2434720 )

                Android apps can't modify their code under normal circumstances. It's possible but requires the user to authorize the app to install apps itself, since the modification can only take place on an APK, not on a running app. And then the user also has to authorize the installation of that specific app.

                And on iOS no such thing is allowed at all. All code must have gone through the approval process's examination and come from the App Store. Perhaps such a second app is what the author meant as recompile.

          • Yeah I think maybe they mean something like interpreting the code or downloading code and JIT'ing it. It's also very likely that Apple themselves isn't even sure exactly what they mean there, they just know there's a whole weird can of worms that can kinda sorta be called re/compiling so it's there if they wanna kick you off the store.

            Also it covers a lot of threats that might be difficult to prove, like say you have an updater and a game scripting engine that's interpreted as part of your app. You could

      • by EvilSS ( 557649 )
        Go look at the business model for Grizzly Research and it will all suddenly make sense.
    • Why are we stuck with Android again?
      • by slaker ( 53818 ) on Thursday June 27, 2024 @04:00PM (#64583553)

        Because Apple thinks its end users are idiots and doesn't allow them to do a lot of things that are both possible and commonplace on Android. Like have a fully functional file browser or replace provided applications with their preferred version.

        • by Anonymous Coward

          Hear hear! Heck, iOS users have to work extra hard to even join botnets!

      • by narcc ( 412956 )

        Because you didn't think the alternatives were cool enough.

        For privacy and productivity, you couldn't get any better than Blackberry. BB10 (QNX) was also just about the best mobile OS around. Both iOS and Android are still playing catch-up.

        But it wasn't cool, so all the tech bros shouted 'it's dying, it's dying' even as it outsold Apple quarter after quarter ... until 2013, when Apple finally pulled ahead.

        FirefoxOS had a lot of potential, but it died with boot2gecko. A real shame, given how open it was.

    • by Powercntrl ( 458442 ) on Thursday June 27, 2024 @04:11PM (#64583585) Homepage

      Apple iOS does not allow such recompilation.

      It's worth mentioning that when Apple implemented stronger privacy protections on iOS, Meta whined about it quite loudly. [forbes.com] I'd say it's a very safe assumption that Temu can't get their snoop on under iOS, and that this is entirely an Android problem. The real story here is that yet again Google really doesn't give a shit about protecting their users' privacy.

      • by Zumbs ( 1241138 ) on Thursday June 27, 2024 @04:23PM (#64583615) Homepage
        You know what assuming does? Here is a quote from the article:

        According to Griffin, the same concerns that got Pinduoduo suspended last year remain today for Temu users, but the App Store and Google Play have allegedly failed to take action to prevent unauthorized access to user data.

        If the claim is correct, both Apple and Google failed to protect the phone users.

        • by Lehk228 ( 705449 )
          The claim is that it "recompiles ityself" which makes no fucking sense so it's probably safe to assume the claims are at least 3/4 bullshit.

          either Temu is flagrantly exploiting zero day vulnerabilities in both IOS and Android or it's getting access by asking (spam your friends text messages to get 50 cents off!) which is more likely?
          • by drnb ( 2434720 )

            The claim is that it "recompiles ityself" which makes no fucking sense so it's probably safe to assume the claims are at least 3/4 bullshit.

            What the original author referred to as recompiling is what the more technically inclined would have referred to as code generation, and/or self-modifying code.

            • by AmiMoJo ( 196126 )

              What the original author referred to as recompiling is what the more technically inclined would have referred to as code generation, and/or self-modifying code.

              Both of which are impossible on Android. Executable code in memory is read-only, and data has the no-execute flag set. Set by the OS, they cannot be overridden by apps.

      • To be honest, thereâ(TM)s also the possibility that the whole claim is totally made up to extract money. And if itâ(TM)s totally made up, that doesnâ(TM)t imply Temu isnt doing it :-(
  • by nealric ( 3647765 ) on Thursday June 27, 2024 @03:22PM (#64583467)

    I've occasionally seen ads from Temu and clicked around just to see what they were offering. But everything comes back to demanding you install the app. It's fine if a retailer encourages you to use their app, but it seemed like there were a lot of items they demanded you download their app to purchase. That was a red flag to me. A retailer who wants to sell you a product shouldn't care if you order it through the app or their website. It seemed like they were more interested in you downloading the app than buying anything. It all makes perfect sense if the app is spyware.

  • If I see fifteen ads while playing Avalon Hill's Serious Respectable World War Simulator.. well, okay, actually Warlordz of Bazzbadang... well, okay, actually Ye Olde Troublee in Toone Towne... well, okay, actually Candy Crush... on my phone, and fourteen of them are for one e-retailer, and one is just a Google Map search that doesn't load right, I will tend to believe that the e-retailer is up to something sinister. Just because, in 100% of cases, no company has ever gotten that big without doing somethin
  • by registrations_suck ( 1075251 ) on Thursday June 27, 2024 @03:38PM (#64583507)

    Every once in a while, I will see one of their ads with something interesting on it so I click. Then I just get some spinning wheel of death and never get to the product page. I just close the window.

    It's rare I click on an ad, but when I do, it would be nice if it would fucking work.

    • Silly you, that "spinning wheel of death" is informing you to wait while your device's contents are downloaded. You're not waiting long enough.

      • Yeah. I don't have the patience for that shit.

        I really wanted to buy one of those "launch rockets" cigarette lighter things too. Oh well.

    • Then I just get some spinning wheel of death and never get to the product page.

      If you weren't getting the spinning wheel of death, you'd be getting the spinning wheel of fake discounts. Who doesn't want 70% off a "$1,400" self propelled electric push lawn mower from some manufacturer you've never heard of? Never mind that Walmart sells basically the same damn thing for slightly cheaper, and they're likely to actually honor the product's warranty.

    • That's the site telling you, "Eh, we're having difficulty getting into your stuff. Can you disable a bunch of protections so we can run scripts and "show ads", change browser and install the app instead for your convenience and for security reasons?" Internet's is becoming useless for me. You also are probably are using Linux and a non-popular browser, on a PC box, with ad and script blocking.
  • by dskoll ( 99328 )

    I would not be surprised if Temu were indeed this bad, but Grizzly Research LLC also looks a bit sus in my opinion. The report [grizzlyreports.com] is written in a very sensational style with dollops of hyperbole.

  • by The Cat ( 19816 )

    American tech companies! You keep laying off those Americans. Things will turn around for you any minute now.

  • Just put a bunch of Taiwan listings in your contacts, your pictures, and elsewhere. It will either pollute their system or raise questions with the directorate. Or both.

  • Gee, I wonder why it's malware? Hmm...

  • by jddj ( 1085169 )

    Duh?

  • If an app is just a app-ized website - be it Temu, Facebook, or Twitter - it's typically a bad idea to use it. All you're doing is giving that entity the chance to hoover up even more of your personal data.

    Stick with the web interface, and use something other than Chrome to view the site.

  • by Anonymous Coward
    The Facebook app does all these things and more. We have multiple examples of people's Facebook feeds suddenly advertising obscure things there were only just talking about within earshot of their phones a short time earlier.
  • by redback ( 15527 )

    I thought everyone knew this.

  • by Cyberax ( 705495 ) on Thursday June 27, 2024 @05:16PM (#64583733)
    You can't just "recompile" yourself and get new permissions. Apple doesn't allow text access at all (except for OTP), and Android requires you to declare it in the application manifest, and then prompts you for permission during the runtime. Silent access to texts requires breaking through sandboxing.

    It seems like it's just another attempt at extortion and/or stock manipulation.
  • Chinese owners, PDD Holdings, are legally obligated to share data with the Chinese government, the lawsuit said, due to Chinese "law

    Exactly the same situation GAFAM face with US Patriot Act and CLOUD Act.

  • I saw this on youtube and cracked up! SNL did a "fake temu" ad. https://www.youtube.com/watch?... [youtube.com]

Veni, Vidi, VISA: I came, I saw, I did a little shopping.

Working...