Stories
Slash Boxes
Comments

SoylentNews is people

posted by hubie on Friday July 05, @04:29AM   Printer-friendly
from the embrace-the-suck dept.

https://arstechnica.com/tech-policy/2024/06/shopping-app-temu-is-dangerous-malware-spying-on-your-texts-lawsuit-claims/

Temu—the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it—is "dangerous malware" that's secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit filed Tuesday.

Griffin cited research and media reports exposing Temu's allegedly nefarious design, which "purposely" allows Temu to "gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications."

"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place."
[...]
The company that owns Temu, PDD Holdings, was founded in 2015 by a former Google employee, Colin Huang. It was originally based in China, but after security concerns were raised, the company relocated its "principal executive offices" to Ireland, Griffin's complaint said. This, Griffin suggested, was intended to distance the company from debate over national security risks posed by China, but because the majority of its business operations remain in China, risks allegedly remain.
[...]
Last year, Temu was the most downloaded app in the US, Griffin's complaint noted, while most users had no way of knowing that the app was allegedly collecting "a shocking amount of sensitive user data" that was "beyond what is necessary for an online shopping app."

According to the complaint, Temu is allegedly obscuring its unauthorized access to data through misleading terms of use and privacy policies that do not alert users to the full scope of data that the app can potentially collect. That includes not telling users about tracking granular locations for no defined purpose and collecting "even biometric information such as users' fingerprints."

App store security scans don't flag Temu's risks, the complaint alleged, because Temu can "change its own code once it has been downloaded to a user's phone"—which means it's essentially able to transform into malware once it is past the security checkpoint.
[...]
On Android phones, Temu also allegedly uses what Google considers a "high risk or sensitive permission" to install any program that it wants "without the user's knowledge or control." While some apps require this permission to function, "there is no justifiable use for this feature on the Temu app, which purportedly is simply an e-commerce platform," the complaint said.
[...]
According to Statista data, Temu has only become more popular as reports of security and privacy risks have come out. In May, "the app was downloaded over 52 million times all over the world, making it more popular than Amazon's marketplace app." As Temu's popularity soars, Griffin hopes to intervene to stop allegedly deceptive and privacy-infringing trade practices that could impact millions.

Temu and PDD Holdings "utilize deception—in the forms of misrepresentation, omission, and deliberate concealment—to mask the Temu app's behavior, hide the fact that PII is being siphoned from the user's device, and prevent the user from knowing that said PII is subject to unfettered use by other individuals and an adversarial government," the lawsuit alleged.


Original Submission

This discussion was created by hubie (1068) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 0, Troll) by Anonymous Coward on Friday July 05, @05:19AM (2 children)

    by Anonymous Coward on Friday July 05, @05:19AM (#1363138)

    PII is subject to unfettered use by... an adversarial government

    All governments are adversarial, one better uses the Silk Road market place if the one wants anonymity.
    ...
    ...

    (my point exactly)

    • (Score: 2, Touché) by Rosco P. Coltrane on Friday July 05, @07:43AM (1 child)

      by Rosco P. Coltrane (4757) on Friday July 05, @07:43AM (#1363146)

      Silk Road eh?

      You time-traveled to the wrong decade good buddy...

      • (Score: 0, Touché) by Anonymous Coward on Friday July 05, @11:46AM

        by Anonymous Coward on Friday July 05, @11:46AM (#1363161)

        ...
        ...
        (my point exactly)

        Put your eye glasses on next time. No guarantee it will help in case of nuance perception deficiency.

  • (Score: 4, Insightful) by Rosco P. Coltrane on Friday July 05, @07:41AM (5 children)

    by Rosco P. Coltrane (4757) on Friday July 05, @07:41AM (#1363144)

    You know, just sayin'...

    • (Score: 3, Insightful) by Runaway1956 on Friday July 05, @11:07AM (4 children)

      by Runaway1956 (2926) Subscriber Badge on Friday July 05, @11:07AM (#1363158) Journal

      Correct. If you have a shopping app, you are being spied upon. Ditto for those cool apps that use Android Auto to connect with your car, find cheap gasoline, or much of anything else. The vast majority of Android apps of any kind are spying apps. For purposes of this article, the spying isn't the bad thing. Spying for a Chinese corporation is the bad thing.

      --
      We've finally beat Medicare! - Houseplant in Chief
      • (Score: 5, Touché) by Rosco P. Coltrane on Friday July 05, @12:36PM (2 children)

        by Rosco P. Coltrane (4757) on Friday July 05, @12:36PM (#1363169)

        Spying for a Chinese corporation is the bad thing.

        Yeah, because I feel so much better when an American company spies on me...

        • (Score: 4, Insightful) by JoeMerchant on Friday July 05, @01:03PM

          by JoeMerchant (3937) on Friday July 05, @01:03PM (#1363171)

          And how can we tell that Temu isn't just a good 'ole Irish company that outsources some things to China where it makes business sense to do so? After all, Corporate Headquarters is located in Ireland!!! /s

          Transparency is always the answer. Let the AI and Robots take over the "work" - let real meat sacks spend their days compiling data on the AI and Robot running organizations, building profiles of how each of them is "Serving Man" [wikipedia.org] and informing such meat sacks as will listen how to vote with their hard currency.

          --
          🌻🌻 [google.com]
        • (Score: 2) by aafcac on Friday July 05, @06:01PM

          by aafcac (17646) on Friday July 05, @06:01PM (#1363198)

          The issue is that while for the typical citizen having a Chinese company spying on them is probably preferable to an American one doing so. The government is fine with American companies spying on citizens, it allows them to conveniently ignore some of those pesky constitutional protections. The main issue they have is one of those Chinese companies finding information from specific people involved in the government or defense. If it wasn't for that, I doubt very much they'd care at all, as there are still plenty of domestic companies to keep feeding them information without the pesky warrants being involved.

      • (Score: 2, Insightful) by Anonymous Coward on Friday July 05, @09:43PM

        by Anonymous Coward on Friday July 05, @09:43PM (#1363213)

        The vast majority of Android^W apps of any kind are spying apps.

        There. FTFY.

        Even worse, "apps" are generally just inferior interfaces to existing web sites. And more's the pity.

  • (Score: 3, Interesting) by PiMuNu on Friday July 05, @07:41AM (19 children)

    by PiMuNu (3823) on Friday July 05, @07:41AM (#1363145)

    I think the story is not so much that there is a crappy malware around (although that is noteworthy); it is that android OS is so insecure and override privacy settings - making the privacy settings worthless.

    • (Score: 5, Interesting) by Snospar on Friday July 05, @08:20AM (12 children)

      by Snospar (5366) Subscriber Badge on Friday July 05, @08:20AM (#1363149)

      Seems to me it's even worse, according to this:

      Google considers a "high risk or sensitive permission" to install any program that it wants "without the user's knowledge or control."

      This means Google is well aware that this is malware but waves it through the vetting process and includes it in the Google app store anyway. I thought they were meant to be the gatekeepers preventing this sort of crap.

      --
      Huge thanks to all the Soylent volunteers without whom this community (and this post) would not be possible.
      • (Score: 2) by Rosco P. Coltrane on Friday July 05, @08:22AM

        by Rosco P. Coltrane (4757) on Friday July 05, @08:22AM (#1363150)

        This means Google is well aware that this is malware

        It takes one to know one.

      • (Score: 3, Insightful) by JoeMerchant on Friday July 05, @01:09PM (10 children)

        by JoeMerchant (3937) on Friday July 05, @01:09PM (#1363172)

        This is the hard nut at the core of security: you can either completely disable certain features for EVERYONE including the manufacturers, or you can assume that the features (like arbitrary code execution) will be accessible to some people, whom you do not know or control, at least some of the time.

        https://www.reddit.com/r/OutOfTheLoop/comments/502703/whats_the_story_behind_the_dvd_encryption_key/ [reddit.com]

        --
        🌻🌻 [google.com]
        • (Score: 4, Insightful) by aafcac on Friday July 05, @06:06PM (9 children)

          by aafcac (17646) on Friday July 05, @06:06PM (#1363199)

          One of the things that I wish would return is a specific jumper/switch to prevent writing to the device's firmware. I realize that since St. Jobs decreed that there shalt be no more physical buttons that we're stuck without the ones that matter, but for things like firmware writes, turning on a webcam and airplane mode, there's nothing quite like a physical switch that's right in the path of whatever is powering the function we're talking about.

          I realize that it could be annoying to accidentally put an iPhone in airplane mode, but being able to physically see that it was in airplane mode and put it in/take it out of that mode without having to power it on was pretty convenient.

          Firmware that's read only unless you switch mode would do wonders for security as you could always either mount the bits you want to write over top of the secured version or copy from the known good one to the portions that can be modified if there's any question about malware.

          It's a real shame that rather than just educating people how to use the hardware, we've dumbed it down to the point where it's incredibly hard to secure, even if you have the knowledge and want to do it.

          • (Score: 2) by JoeMerchant on Friday July 05, @07:50PM (8 children)

            by JoeMerchant (3937) on Friday July 05, @07:50PM (#1363205)

            My webcams all have physical shutters. You can buy very nice stick-on ones: https://www.amazon.com/Ultra-Thin-Compatible-MacBook-Computer-Security/dp/B08CVKRZW9 [amazon.com]

            For anything calling itself a "secure" device, I see immutable software and even configuration images with data-only rewritable volumes becoming "a thing" very soon, with some kind of physical key - even if just a momentary pushbutton - which is required to authorize any changes on the firmware, software and configuration storage. The less "configuration" that gets stored in the data volume, the more secure a device will become. Of course, today, standard practice is for everything to be freely rewritable with only network commands required to trigger the "security update." I had an evil scheme to take over the world back in 1985, step 1: distribute self-updating via network software. Anyone I discussed it with back then said something along the lines of "nobody would be stupid enough to install your self-updating software, much less give it a network connection to allow it to download arbitrary code.

            --
            🌻🌻 [google.com]
            • (Score: 3, Funny) by c0lo on Friday July 05, @08:31PM (2 children)

              by c0lo (156) Subscriber Badge on Friday July 05, @08:31PM (#1363208) Journal

              My webcams all have physical shutters. You can buy very nice stick-on ones: [amazon link]

              Heh, have you tried temu [temu.com]? :large-grin:

              --
              https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
              • (Score: 2) by JoeMerchant on Friday July 05, @10:02PM

                by JoeMerchant (3937) on Friday July 05, @10:02PM (#1363218)

                Heh, I think I bought something from Temu once, just once via the website interface, and whatever it was came with a bunch of the webcam covers included - no explanation. I had to use Google Lens to figure out what they were... kinda cool in the end. Maybe it was some other Chinese source instead of Temu.... not sure it was a while ago.

                --
                🌻🌻 [google.com]
              • (Score: 0) by Anonymous Coward on Saturday July 06, @01:59AM

                by Anonymous Coward on Saturday July 06, @01:59AM (#1363252)

                Heh, have you tried temu [temu.com]

                I just did and they require me to sign up in order to see anything other than the login page. Fuck. That. Noise.

            • (Score: 0) by Anonymous Coward on Friday July 05, @09:48PM (4 children)

              by Anonymous Coward on Friday July 05, @09:48PM (#1363214)

              For anything calling itself a "secure" device, I see immutable software and even configuration images with data-only rewritable volumes becoming "a thing" very soon,

              cf. Fedora Atomic Desktops [fedoraproject.org]:

              • (Score: 2) by JoeMerchant on Friday July 05, @10:04PM (3 children)

                by JoeMerchant (3937) on Friday July 05, @10:04PM (#1363219)

                Yeah, I wish the various "immutable" distros were working better than they are right now.

                I even just wish that somebody would finally get ZFS sorted in Debian, it's still got some nasty rough edges - I used it for over a year on my daily driver before it slashed the jugular of my system. Luckily, I don't really keep anything of value on my daily driver, and most of my complex configuration needs are scripted and stored in source repos various places.

                --
                🌻🌻 [google.com]
                • (Score: 0) by Anonymous Coward on Friday July 05, @11:53PM (2 children)

                  by Anonymous Coward on Friday July 05, @11:53PM (#1363230)

                  Yeah, I wish the various "immutable" distros were working better than they are right now.

                  What part(s) of Fedora Atomic Desktops don't work so well that precludes them from being used right now?

                  Not being snarky, I just really don't know what you're talking about and would very much like to know what issues you've seen.

                  Thanks!

                  • (Score: 2) by JoeMerchant on Saturday July 06, @02:36AM

                    by JoeMerchant (3937) on Saturday July 06, @02:36AM (#1363254)

                    >What part(s) of Fedora Atomic Desktops don't work so well that precludes them from being used right now?

                    Haven't evaluated it, don't know.

                    What I can tell you is that I did evaluate ZFS under Ubuntu 22.04 - come to think of it I probably setup my daily driver in May or June of 2022 with it. It ran "great" as far as I knew, until May of 2024 when I started running out of system resources, RAM and disk space - started looking at it and I only had 100GB stored on a 200GB drive, but it was chronically out of space and not easily recovered by any guides I could find on Google, and as it was time for a system update anyway, I just clean-sheeted it with 24.04 on ext4.

                    Further, I ran into problems with subtle interactions between ZFS as a host filesystem and VirtualBox - nasty enough that it couldn't be used as a base for our product which depends on VirtualBox, but subtle enough that it didn't show up until after a week or more of use. These are the things I really try to keep out of our product: surprises that will get past system validation testing and trigger field recalls. Thank goodness for the VirtualBox bug that showed up relatively faster, I'd hate to have whatever happened to my daily driver to start showing up in the field, especially since our systems are equipped with a whopping 120GB SSD and 40GB of that goes into the VM, so if you're down to 60GB net usable capacity, 40 of which is spoken for in the VM - it can get tight fast in a host OS with only 20GB for all the logs and other data we store.

                    Fedora is unattractive for our product from a licensing perspective, although it is attractive from a "veneer of supportedness" perspective which we are staying in Ubuntu for - even though we're not signing up for Ubuntu One, the ability to do so may make the difference in some contract bids - if it weren't for that wrinkle I'd be putting us into Debian 12.6 now.

                    So, issues, well - just look at what all you use, especially weird stuff that may have some special needs - has Fedora worked out all the kinks for _your_ packages that might get pissy about not being able to modify some of their configuration files? Have the devs really tested all the edge cases you will be using? If you're a very vanilla user, they may be there by now, but from what I've read about ALL the immutable distros, there's a LOT of packages that just aren't fully ironed out yet in the new scheme. It reminds me of the early days of Raspbian when there was a lot (more) stuff that you'd like to use but it's just not available on ARM - yet.

                    It will get there... like Ubuntu Core might with their Snap based Ubtopia, but is it there today? Only for specific use cases, I think.

                    Facts, you're looking for facts? Only opinions available at this hour.

                    --
                    🌻🌻 [google.com]
                  • (Score: 2) by JoeMerchant on Saturday July 06, @02:40AM

                    by JoeMerchant (3937) on Saturday July 06, @02:40AM (#1363255)

                    >What part(s) of Fedora Atomic Desktops don't work so well that precludes them from being used right now?

                    Haven't evaluated it, don't know.

                    What I can tell you is that I did evaluate ZFS under Ubuntu 22.04 - come to think of it I probably setup my daily driver in May or June of 2022 with it. It ran "great" as far as I knew, until May of 2024 when I started running out of system resources, RAM and disk space - started looking at it and I only had 100GB stored on a 200GB drive, but it was chronically out of space and not easily recovered by any guides I could find on Google, and as it was time for a system update anyway, I just clean-sheeted it with 24.04 on ext4.

                    Further, I ran into problems with subtle interactions between ZFS as a host filesystem and VirtualBox - nasty enough that it couldn't be used as a base for our product which depends on VirtualBox, but subtle enough that it didn't show up until after a week or more of use. These are the things I really try to keep out of our product: surprises that will get past system validation testing and trigger field recalls. Thank goodness for the VirtualBox bug that showed up relatively faster, I'd hate to have whatever happened to my daily driver to start showing up in the field, especially since our systems are equipped with a whopping 120GB SSD and 40GB of that goes into the VM, so if you're down to 60GB net usable capacity, 40 of which is spoken for in the VM - it can get tight fast in a host OS with only 20GB for all the logs and other data we store.

                    Fedora is unattractive for our product from a licensing perspective, although it is attractive from a "veneer of supportedness" perspective which we are staying in Ubuntu for - even though we're not signing up for Ubuntu One, the ability to do so may make the difference in some contract bids - if it weren't for that wrinkle I'd be putting us into Debian 12.6 now.

                    So, issues, well - just look at what all you use, especially weird stuff that may have some special needs - has Fedora worked out all the kinks for _your_ packages that might get pissy about not being able to modify some of their configuration files? Have the devs really tested all the edge cases you will be using? If you're a very vanilla user, they may be there by now, but from what I've read about ALL the immutable distros, there's a LOT of packages that just aren't fully ironed out yet in the new scheme. It reminds me of the early days of Raspbian when there was a lot (more) stuff that you'd like to use but it's just not available on ARM - yet.

                    It will get there... like Ubuntu Core might with their Snap based Ubtopia, but is it there today? Only for specific use cases, I think.

                    Facts, you're looking for facts? Only opinions available at this hour. I will note, when I have made opinion based decisions in a professional capacity, I'm batting better than the best Major League baseball hitters, at least for a 5 year horizon. For the strikes, you want to err on the conservative side.

                    --
                    🌻🌻 [google.com]
    • (Score: 3, Interesting) by anubi on Friday July 05, @08:34AM (5 children)

      by anubi (2828) on Friday July 05, @08:34AM (#1363152) Journal

      That is the reason I have several Androids...

      Only two of them have my real name and payment credentials...one for Amazon/eBay, the other for everything else. I keep fast-food apps on six "scrap" expired cellphones I got out of a recycle bin, so I have enough coupon offers for multiple visits or sharing with friends. That's all that is in those phones...loyalty apps. I had to agree to a lot of legalese to load the apps. It would have taken me weeks to read and understand all that business talk behind the "agree" button, so I just run the whole lot of them in phones that have nothing but other food apps in them. No phone contact lists, no social media accounts. For Gawdsake, no payment apps! Just a phone reset to Factory with no telephony service. Just WiFi. And lots of anonymous business loyalty apps that I have no idea what I agreed to. I don't have to worry about my granting them rights to pillage my phone. Pillage all they want. There is nothing there. Even if their app places a bunch of orders on my behalf, there exists no means to pay, so any sneaky businesstalk to get me tangled up has no means to bill me.

      I figured if I use TEMU, I will have to use prepaid debit cards and set up another factory reset phone just for interacting with them. Lessee...they get my legal name, address, and a debit card that will cover the purchase. How can that be used against me?

      I hate having to be so damn paranoid...but knowing how sneaky people can get using anonymity of technology combined with the crap they foist on me to agree to, I can't help but be watchful on the internet.

      Things happen so fast

      --
      "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
      • (Score: 3, Insightful) by PiMuNu on Friday July 05, @09:02AM (1 child)

        by PiMuNu (3823) on Friday July 05, @09:02AM (#1363153)

        Most sane vendors have purchase supported through web browsers. I don't like the cellphone form factor anyway, far rather use a browser on a laptop.

        • (Score: 1) by anubi on Tuesday July 09, @12:48AM

          by anubi (2828) on Tuesday July 09, @12:48AM (#1363509) Journal

          I don't trust my desktop web browsing machine. When I browse, I often visit shady sites in my quests to find info to fix my old stuff as even their own makers won't even leave their old files up.

          I'll browse till the cows come home on my browsing machine. It's like the "pusher stick" I use with my table saw when I don't want my fingers anywhere near that blade. Or when I have money involved...that's on a browser phone, local private intranet. Nothing else on that phone but trusted contacts. I treat it like a wallet. It has my payment credentials in it. Nothing else but my file cabinet has copies of that in it.

          If I lose my "traveling" phone ( the "best" one I have, one of two that actually work as a phone! ), it would be an inconvenience, but hardly a disaster. It's backed up on other phones with huge memories. It does have my family and friends contact list though, as well as a helluva lot of diagnostic apps. Some people have dozens of backup disks...I have dozens of expired smartphones which can only place emergency calls, ( which I have never verified ).

          --
          "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
      • (Score: 2) by looorg on Friday July 05, @09:30AM (2 children)

        by looorg (578) on Friday July 05, @09:30AM (#1363154)

        Lessee...they get my legal name, address, and a debit card that will cover the purchase. How can that be used against me?

        If they control the app, it has wifi and they can just dream up orders out of thin air then they won't need your your debit card. If they have your legal name and address they could just send you things and then include an invoice in the package where some form of "agreed" upon payment plan is included.

        • (Score: 0) by Anonymous Coward on Saturday July 06, @02:45AM (1 child)

          by Anonymous Coward on Saturday July 06, @02:45AM (#1363257)

          That's nice. I might even send them a "thankyou for the free gift" message. Unsolicited goods do not create any obligation on the part of the receiver here. If they try to argue they have a legal order they have to show up for either court or small claims tribunal. Pretty sure they are not going to.

          • (Score: 2) by looorg on Saturday July 06, @02:00PM

            by looorg (578) on Saturday July 06, @02:00PM (#1363291)

            That is how I see it to. But there are people that if they get send things start to spend a lot of time and effort in having contact with whomever sent things, insisting that they have not ordered things etc. Me I just keep it. Mine. Clearly a gift if I didn't order it.

            But if they have control over the machine I guess they can fake some orders and then start to send them out and claim that you have ordered them. Which could eventually become a problem for you to if they start to make claims against you that you then have to one way or another fight.

            I guess the alternative is to just tell whomever delivers the package that you didn't order it, you refuse to accept it and they should just return it to the sender. Preferably also then attaching about 3-5 bricks to the package to increase the postage. Also possibly including an invoice of your own for postage and package handling fees on your end.

  • (Score: 5, Interesting) by ledow on Friday July 05, @08:26AM (1 child)

    by ledow (5567) on Friday July 05, @08:26AM (#1363151) Homepage

    I use their website.

    They push their app SO HARD (including deals on Facebook ads that when you click are only available to their mobile app users) that it was obvious there was more going on there.

    As it was, I find it difficult to understand the organisational structure of the company - there is a UK company that ultimately posts me my purchases, but they don't seem to do anything and the rest of it is obscured and based in China.

    It's clear they were wanting to hoover up data from the app, and it's the reason I don't tolerate apps instead of website, and also why I delete any app that INSISTS I have to give it the permissions it asks for. Unless you're a satnav app, you don't need even my approximate location, and so on.

    • (Score: 3, Interesting) by JoeMerchant on Friday July 05, @01:22PM

      by JoeMerchant (3937) on Friday July 05, @01:22PM (#1363174)

      Temu is the new Oriental Trading. They give stuff away for unbelievably low prices (first sign of a scam: too good to be true? Then it almost always is.) People get hooked. I forget the details, but somebody with inside knowledge of Oriental Trading shared some of their customer tracking data with a friend once - the typical customer orders one thing, then another, then a few more, then they start ordering additional things before the previous orders are even delivered. It's like crack dealers giving away "free samples."

      In today's world, the customer has additional value: - no paper rag to deliver to the mailbox to keep them coming, all kinds of personal information beyond their address and order history to market to data consumers. Where Oriental Trading could only publish "limited time offer" coupons in their rag, Temu can now offer their customers casino style discount games... it's all about driving customer engagement, stickiness, addiction - call it loyalty if you want. It's working beneath the rational cognitive decision making level to drive the desired behaviors in their customers.

      I wonder how long before such engagement platforms branch out beyond hacking your private data for simple direct cash grabs and start driving political and/or military agendae?

      Oh, wait... https://time.com/5197255/facebook-cambridge-analytica-donald-trump-ads-data/ [time.com]

      --
      🌻🌻 [google.com]
(1)