Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims

Temu—the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it—is "dangerous malware" that's secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit filed Tuesday.

Griffin cited research and media reports exposing Temu's allegedly nefarious design, which "purposely" allows Temu to "gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications."

"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place."

Griffin fears that Temu is capable of accessing virtually all data on a person's phone, exposing both users and non-users to extreme privacy and security risks. It appears that anyone texting or emailing someone with the shopping app installed risks Temu accessing private data, Griffin's suit claimed, which Temu then allegedly monetizes by selling it to third parties, "profiting at the direct expense" of users' privacy rights.

"Compounding" risks is the possibility that Temu's Chinese owners, PDD Holdings, are legally obligated to share data with the Chinese government, the lawsuit said, due to Chinese "laws that mandate secret cooperation with China's intelligence apparatus regardless of any data protection guarantees existing in the United States."

Griffin's suit cited an extensive forensic investigation into Temu by Grizzly Research—which analyzes publicly traded companies to inform investors—last September. In their report, Grizzly Research alleged that PDD Holdings is a “fraudulent company” and that “Temu is cleverly hidden spyware that poses an urgent security threat to United States national interests.”

As Griffin sees it, Temu baits users with misleading promises of discounted, quality goods, angling to get access to as much user data as possible by adding addictive features that keep users logged in, like spinning a wheel for deals. Meanwhile hundreds of complaints to the Better Business Bureau showed that Temu's goods are actually low-quality, Griffin alleged, apparently supporting his claim that Temu's end goal isn't to be the world's biggest shopping platform but to steal data.

Investigators agreed, the lawsuit said, concluding “we strongly suspect that Temu is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure."

Seeking an injunction to stop Temu from allegedly spying on users, Griffin is hoping a jury will find that Temu's alleged practices violated the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act. If Temu loses, it could be on the hook for $10,000 per violation of the ADTPA and ordered to disgorge profits from data sales and deceptive sales on the app.

Temu “surprised” by lawsuit

The company that owns Temu, PDD Holdings, was founded in 2015 by a former Google employee, Colin Huang. It was originally based in China, but after security concerns were raised, the company relocated its "principal executive offices" to Ireland, Griffin's complaint said. This, Griffin suggested, was intended to distance the company from debate over national security risks posed by China, but because the majority of its business operations remain in China, risks allegedly remain.

PDD Holdings' relocation came amid heightened scrutiny of Pinduoduo, the Chinese app on which Temu's shopping platform is based. Last year, Pinduoduo came under fire for privacy and security risks that got the app suspended from Google Play as suspected malware. Experts said Pinduoduo took security and privacy risks "to the next level," the lawsuit said. And "around the same time," Apple's App Store also flagged Temu's data privacy terms as misleading, further heightening scrutiny of two of PDD Holdings' biggest apps, the complaint noted.

Researchers found that Pinduoduo "was programmed to bypass users’ cell phone security in order to monitor activities on other apps, check notifications, read private messages, and change settings," the lawsuit said. "It also could spy on competitors by tracking activity on other shopping apps and getting information from them," as well as "run in the background and prevent itself from being uninstalled." The motivation behind the malicious design was apparently "to boost sales."

According to Griffin, the same concerns that got Pinduoduo suspended last year remain today for Temu users, but the App Store and Google Play have allegedly failed to take action to prevent unauthorized access to user data. Within a year of Temu's launch, the "same software engineers and product managers who developed Pinduoduo" allegedly "were transitioned to working on the Temu app."

Google and Apple did not immediately respond to Ars' request for comment.

A Temu spokesperson provided a statement to Ars, discrediting Grizzly Research's investigation and confirming that the company was "surprised and disappointed by the Arkansas Attorney General's Office for filing the lawsuit without any independent fact-finding."

"The allegations in the lawsuit are based on misinformation circulated online, primarily from a short-seller, and are totally unfounded," Temu's spokesperson said. "We categorically deny the allegations and will vigorously defend ourselves."

While Temu plans to defend against claims, the company also seems to potentially be open to making changes based on criticism lobbed in Griffin's complaint.

"We understand that as a new company with an innovative supply chain model, some may misunderstand us at first glance and not welcome us," Temu's spokesperson said. "We are committed to the long-term and believe that scrutiny will ultimately benefit our development. We are confident that our actions and contributions to the community will speak for themselves over time."

How is Temu malware?

Last year, Temu was the most downloaded app in the US, Griffin's complaint noted, while most users had no way of knowing that the app was allegedly collecting "a shocking amount of sensitive user data" that was "beyond what is necessary for an online shopping app."

According to the complaint, Temu is allegedly obscuring its unauthorized access to data through misleading terms of use and privacy policies that do not alert users to the full scope of data that the app can potentially collect. That includes not telling users about tracking granular locations for no defined purpose and collecting "even biometric information such as users’ fingerprints."

App store security scans don't flag Temu's risks, the complaint alleged, because Temu can "change its own code once it has been downloaded to a user’s phone"—which means it's essentially able to transform into malware once it is past the security checkpoint.

That seemingly allows Temu to "exploit" the user's personally identifying information (PII) "and other data or to otherwise control the user's device, in unknown and unknowable ways." To do this, like Pinduoduo, Temu allegedly relies on "code designed to achieve 'privilege escalation,' a type of cyberattack that exploits a vulnerable operating system to gain a higher level of access to data than is authorized."

Among other allegedly malicious design features, Temu seemingly easily bypasses security scans by relying on a "cryptically named function" of its source code that "is not visible to security scans before or during installation of the app, or even with elaborate penetration testing," Grizzly Research found. This function allegedly "enables the app to change its behavior—and possibly its entire function—on the user's phone, without anyone being able to know, much less prevent such a change."

That might also make it possible for Temu to hide from debuggers identifying malware, the complaint said, by simply changing the app's behavior once a user's security scan is detected.

On Android phones, Temu also allegedly uses what Google considers a "high risk or sensitive permission" to install any program that it wants "without the user's knowledge or control." While some apps require this permission to function, "there is no justifiable use for this feature on the Temu app, which purportedly is simply an e-commerce platform," the complaint said.

"The ability to bypass phone security systems is dangerous because it potentially allows Temu to read a user's private messages, change the phone’s settings, and track notifications," the complaint warned, which is why Grizzly research considers Temu "the most dangerous malware/spyware package currently in widespread circulation.” And other security experts have flagged Temu as “even more ‘malicious’" than Pinduoduo, Griffin's complaint said.

According to Statista data, Temu has only become more popular as reports of security and privacy risks have come out. In May, "the app was downloaded over 52 million times all over the world, making it more popular than Amazon’s marketplace app." As Temu's popularity soars, Griffin hopes to intervene to stop allegedly deceptive and privacy-infringing trade practices that could impact millions.

Temu and PDD Holdings "utilize deception—in the forms of misrepresentation, omission, and deliberate concealment—to mask the Temu app's behavior, hide the fact that PII is being siphoned from the user's device, and prevent the user from knowing that said PII is subject to unfettered use by other individuals and an adversarial government," the lawsuit alleged.