Shopping app Temu is “dangerous malware,” spying on your texts, U.S. lawsuit claims

Submitted ⁨⁨4⁩ ⁨months⁩ ago⁩ by ⁨tardigrada@beehaw.org⁩ to ⁨technology@beehaw.org⁩

https://arstechnica.com/tech-policy/2024/06/shopping-app-temu-is-dangerous-malware-spying-on-your-texts-lawsuit-claims

Temu—the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it—is “dangerous malware” that’s secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit filed Tuesday.

Griffin cited research and media reports exposing Temu’s allegedly nefarious design, which “purposely” allows Temu to “gain unrestricted access to a user’s phone operating system, including, but not limited to, a user’s camera, specific location, contacts, text messages, documents, and other applications.”

“Temu is designed to make this expansive access undetected, even by sophisticated users,” Griffin’s complaint said. “Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”

source

Comments

Sort:hotnew top

smeg@feddit.uk ⁨4⁩ ⁨months⁩ ago

Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place

If this is actually possible then isn’t that a huge security vulnerability in Android and/or iOS? I feel if this was the case we’d be hearing about it from security researchers rather than a lawyer.

source
- Thevenin@beehaw.org ⁨4⁩ ⁨months⁩ ago
  I’d believe it because I remember the same being true for TikTok.
  
  I don’t have the links on me right now, but I remember clearly that when tiktok was new, engineers trying to figure out what data it collected found that the app could recognize when it was being observed, and would “rewite” itself to evade detection.
  
  They noted that they’d never seen this outside of sophisticated malware, and doubted that a social media company had the resources to write such a program.
  
  source
  - jarfil@beehaw.org ⁨4⁩ ⁨months⁩ ago
    
    doubted that a social media company had the resources to write such a program.
    
    Em… writing a different manifest and asking the OS to reinstall itself, is not rocket science. Detecting that it’s running in a testing environment and not asking for permission to access some types of data, is also quite easy. Downloading a different update or modules depending on which device and environment it gets installed to, is basic functionality.
    
    It’s still sneaky behavior and a dark pattern, but come on.
    
    source
    -> View More Comments
onlinepersona@programming.dev ⁨4⁩ ⁨months⁩ ago
So just like the majority USAian app out there? I think Temu fits right in. Why are people so concerned about what China is doing with their data, but not the very countries they live in or (more importantly) the dominant online surveillance presence: the USA?

Anti Commercial-AI license

source
- NaibofTabr@infosec.pub ⁨4⁩ ⁨months⁩ ago
  Believe it or not, I can be concerned about both.
  
  source
  - onlinepersona@programming.dev ⁨4⁩ ⁨months⁩ ago
    
    Believe it or not, I can be concerned about both.
    
    Yes you can, most people aren’t. In real life, by far the most common response I’ve gotten when talking about privacy is 😴 . My colleagues in tech will hotly debate China’s surveillance, but happy use face ID on their iPhone, upload their entire life to Google or iCloud (including recordings of therapy sessions), send their blood into do a heritage check, nearly exclusively use Amazon for shopping, have an Amazon Ring camera at their door, and so much more.
    
    You are the minority.
    
    Anti Commercial-AI license
    
    source
- tardigrada@beehaw.org ⁨4⁩ ⁨months⁩ ago
  One thing that’s obvious here on Lemmy is that whataboutism works only in one direction. If an article is critical of China, Russia, Iran, or other dictatorships, you’d read, “But about U.S./EU/the West”. But there are tons of articles here critical of Western countries, and it’s accepted. Why is this? Just wumaos?
  
  source
  - HobbitFoot@thelemmy.club ⁨4⁩ ⁨months⁩ ago
    Lemmy was designed to be a place where communists would have a community. Some instances weren’t, but a lot of the original ones were.
    
    source
    -> View More Comments
  - onlinepersona@programming.dev ⁨4⁩ ⁨months⁩ ago
    It’s funny that every time someone points out the pot calling the kettle black the training kicks in to shout “whataboutism” and it must be “wumao”. It’s almost a meme. You don’t think an article about Xi Ping’s government warning about USAian surveillance would be mocked and ridiculed due to their Great Firewall? That wouldn’t be “whataboutism” though, right? It would be a “critical opinion”?
    
    Anti Commercial-AI license
    
    source
    -> View More Comments
  - sunzu@kbin.run ⁨4⁩ ⁨months⁩ ago
    Because people live there and that's what they care about.
    
    Also this article is shiti propaganda. Is temu shite.... Ya, you ain't got to use.
    
    Google luck trying to have a normal life qiehout use big tech lol
    
    Which is a lot more dangerous than temu or tiktok from personal privacy and security perspective.
    
    source
- Kissaki@beehaw.org ⁨4⁩ ⁨months⁩ ago
  
  “Temu is designed to make this expansive access undetected, even by sophisticated users,” Griffin’s complaint said. “Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”
  
  So just like the majority USAian app out there?
  
  Which apps do that? Because I am certain it’s NOT the majority, and very skeptical about any other apps doing that.
  
  source
  - onlinepersona@programming.dev ⁨4⁩ ⁨months⁩ ago
    More about the part of stealing information. Most people barely look at permissions.
    
    A flashlight app needs access to my calls, microphone, clipboard, filesystem, and network? Sure, I’ll install it.
    
    All Temu had to do was ask and people would grant it.
    
    Anti Commercial-AI license
    
    source
    -> View More Comments
- TehPers@beehaw.org ⁨4⁩ ⁨months⁩ ago
  I’m not sure I understand why this question comes up everytime some chinese app is in a news article.
  
  Anyway, it should not come as a surprise, but “Arkansas Attorney General Tim Griffin”, someone who works as AG for a state in the US, presumably is more interested in US interests than Chinese interests, and presumably places more trust in the government and businesses of the country he lives in than in the government (and businesses, for where there’s a distinction anyway) of the country of his nation’s economic rival.
  
  source
- ssm@lemmy.sdf.org ⁨4⁩ ⁨months⁩ ago
  Russian/Chinese software contains spyware: 😡😡👿👿💢💢
  
  US software contains spyware: 😇👉👈
  
  source
  - DdCno1@beehaw.org ⁨4⁩ ⁨months⁩ ago
    Unsurprisingly, defenders of dictatorships always have to resort to whataboutism to defend the indefensible.
    
    As per usual, this whataboutism is lazy and inaccurate as well.
    
    source
    -> View More Comments
- Kaboom@reddthat.com ⁨4⁩ ⁨months⁩ ago
  You do realize that license doesnt do anything, right? Facebook tier logic right there
  
  source
  - jarfil@beehaw.org ⁨4⁩ ⁨months⁩ ago
    This comment © 2024 by jarfil is licensed under CC BY 4.0. To view a copy of this license, visit creativecommons.org/licenses/by/4.0/
    
    No they don’t. It’s not only not applied to their comment, but also misnamed.
    
    source
    -> View More Comments
  - onlinepersona@programming.dev ⁨4⁩ ⁨months⁩ ago
    Good job on not reading it and understanding absolutely nothing 👏
    
    Anti Commercial-AI license
    
    source
    -> View More Comments
cupcakezealot@lemmy.blahaj.zone ⁨4⁩ ⁨months⁩ ago
starting to think that politicians have no clue about how technology works.

source
autotldr@lemmings.world [bot] ⁨4⁩ ⁨months⁩ ago
🤖 I’m a bot that provides automatic summaries for articles:

Click here to see the summary
Temu—the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it—is “dangerous malware” that’s secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit filed Tuesday. Griffin fears that Temu is capable of accessing virtually all data on a person’s phone, exposing both users and non-users to extreme privacy and security risks. In their report, Grizzly Research alleged that PDD Holdings is a “fraudulent company” and that “Temu is cleverly hidden spyware that poses an urgent security threat to United States national interests.” Investigators agreed, the lawsuit said, concluding “we strongly suspect that Temu is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure." Researchers found that Pinduoduo “was programmed to bypass users’ cell phone security in order to monitor activities on other apps, check notifications, read private messages, and change settings,” the lawsuit said. A Temu spokesperson provided a statement to Ars, discrediting Grizzly Research’s investigation and confirming that the company was “surprised and disappointed by the Arkansas Attorney General’s Office for filing the lawsuit without any independent fact-finding.” — Saved 78% of original text.

source