Temu is Malware — It Sells Your Info, Accuses Ark. AG
Chinese fast-fashion-cum-junk retailer “is a data‑theft business.”
Do you have the Temu app installed on your phone? You might wanna think twice about that. Arkansas is suing Temu’s owners, accusing them of deeply shady privacy practices.
But not everyone is buying the Natural State’s narrative. In today’s SB Blogwatch, we see both sides.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: CMAT’s KT cover.
“Temu can Recompile Itself”
What’s the craic? Mitch “bow ties are cool” Bettis and friends report: Arkansas Sues Temu
“Overriding the data privacy settings”
Temu was the most downloaded app in the U.S. in 2023—at 337 million downloads. … “Temu is not an online marketplace like Amazon or Walmart. It is a data-theft business that sells goods online as a means to an end,” … Arkansas Attorney General Tim Griffin … said in a statement.
…
Griffin announced a lawsuit against the parent companies of online retailer Temu, alleging that the shopping app illegally collects user information and sells the data to third parties. The complaint against PDD Holdings Inc. and Whaleco Inc. … says the app is “purposefully designed to gain unrestricted access to a user’s phone operating system,” including a user’s camera, specific location, contacts, text messages, documents and other applications. … Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”
Wait, what? Huge, if true. Who can dig into these allegations? Michael Kan can: Claims Chinese Shopping App Is Malware
“Similar claims made against TikTok”
The lawsuit points to Google briefly suspending PDD’s Pinduoduo app after versions that were not in the Play Store were found to contain malware, and Apple temporarily pulling Temu from the iOS App Store for failing to follow the mandatory privacy rules on data tracking. [And] it cites comments from third-party groups, including a short-selling firm, alarmed with the range of data that Temu can allegedly collect from a user’s phone.
…
Griffin also claims that Temu “is led by a cadre of former Chinese Communist Party officials, which raises significant security risks.” … Specifically, he’s concerned that the Chinese government could force Temu to secretly spy on Americans. The allegations echo similar claims made against TikTok.
What does Temu have to say for itself? Bring Bradford Betz back: PDD Holdings described as a ‘monster in Chinese e-commerce’
“We categorically deny”
A spokesperson for Temu said the company was “surprised and disappointed” [and] argued that the scrutiny “will ultimately benefit our development.” … The company accused the attorney general of filing the lawsuit “without any independent fact-finding.”
…
The allegations in the lawsuit are based on misinformation circulated online, primarily from a short-seller, and are totally unfounded. We categorically deny the allegations and will vigorously defend ourselves,” the Temu spokesperson said.
Extraordinary claims require extraordinary evidence. philipkglass sees through the most eye opening claim:
It sounds implausible that the app can bypass OS-level restrictions. … It appears that the app has many characteristics the analysts considered suspicious but there’s no evidence that it can actually bypass OS-level restrictions.
The report is from September 2023. So if there were actually Android bugs that allowed permissions bypass I would have expected more security reporting from Google or third parties by now.
Shaving with Occam’s Razor, starglider doesn’t buy it:
Temu is a garbage company that exploits labor and tries to spy on its users, using dark patterns and abusing OS permission prompts. [This] seems entirely plausible.
…
[But] there’s just no way this app does what [they] claim it does. None. This would mean that the entire security of both iOS and Android is hopelessly broken. Exploits to do what they’re claiming Temu does sell for millions of dollars and are hoarded by entities like the NSA and NSO Group and used to attack high-level politicians and journalists. And we’re supposed to believe that some rinky-dink shopping app can do that kind of thing? I don’t buy it.
Actions speak louder than words. nealric thinks Temu’s “app focus was always shady:”
.I’ve occasionally seen ads from Temu and clicked around just to see what they were offering. But everything comes back to demanding you install the app. It’s fine if a retailer encourages you to use their app, but it seemed like there were a lot of items they demanded you download their app.
…
That was a red flag to me. A retailer who wants to sell you a product shouldn’t care if you order it through the app or their website. It seemed like they were more interested in you downloading the app than buying anything. It all makes perfect sense if the app is spyware.
One of the substantive complaints is the ubiquitous use of location tracking. MorbidGod scoffs thuswise:
“A reasonable consumer would assume that the location permission is confined to the use of photo uploads. The permission, however, extends to any time the user engages with the Temu app.”
…
A lot of apps, not just Temu, access your location data all the time. And in more ways then one: They use your GPS, your WiFi location, and even your Bluetooth. If this AG does not like this, then maybe — just maybe — we should change our data privacy laws.
Is there a wider issue here? cleverclogs thinks there are other laws to be made:
These Chinese fast fashion throwaway ****** manufacturers should honestly be banned. There is nothing remotely of value to planet or person with the products they shovel.
Meanwhile, Veliladon oinks approvingly:
People buy from Temu and SHEIN knowing it’s basically a lottery ticket on the stuff showing up—and disputing the CC transaction if it doesn’t. What’s the old saying? Don’t wrestle with a pig because the pig just likes it and you end up covered in [mud].
And Finally:
CW: An F- and a B-bomb
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Daniel Foster / Focal Foto (cc:by-nc; leveled and cropped)