SoylentNews

Freeman [soylentnews.org] writes:

https://arstechnica.com/tech-policy/2024/06/shopping-app-temu-is-dangerous-malware-spying-on-your-texts-lawsuit-claims/ [arstechnica.com]

Temu—the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly [theinformation.com] trying to copy it—is "dangerous malware" that's secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit [arstechnica.net] filed Tuesday.

Griffin cited research and media reports exposing Temu's allegedly nefarious design, which "purposely" allows Temu to "gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications."

"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place."
[...]
The company that owns Temu, PDD Holdings, was founded in 2015 by a former Google employee, Colin Huang. It was originally based in China, but after security concerns were raised, the company relocated its "principal executive offices" to Ireland, Griffin's complaint said. This, Griffin suggested, was intended to distance the company from debate over national security risks posed by China, but because the majority of its business operations remain in China, risks allegedly remain.
[...]
Last year, Temu was the most downloaded app in the US, Griffin's complaint noted, while most users had no way of knowing that the app was allegedly collecting "a shocking amount of sensitive user data" that was "beyond what is necessary for an online shopping app."

According to the complaint, Temu is allegedly obscuring its unauthorized access to data through misleading terms of use and privacy policies that do not alert users to the full scope of data that the app can potentially collect. That includes not telling users about tracking granular locations for no defined purpose and collecting "even biometric information such as users’ fingerprints."

App store security scans don't flag Temu's risks, the complaint alleged, because Temu can "change its own code once it has been downloaded to a user’s phone"—which means it's essentially able to transform into malware once it is past the security checkpoint.
[...]
On Android phones, Temu also allegedly uses what Google considers a "high risk or sensitive permission" to install any program that it wants "without the user's knowledge or control." While some apps require this permission to function, "there is no justifiable use for this feature on the Temu app, which purportedly is simply an e-commerce platform," the complaint said.
[...]
According to Statista data, Temu has only become more popular as reports of security and privacy risks have come out. In May, "the app was downloaded over 52 million times all over the world, making it more popular than Amazon’s marketplace app." As Temu's popularity soars, Griffin hopes to intervene to stop allegedly deceptive and privacy-infringing trade practices that could impact millions.

Temu and PDD Holdings "utilize deception—in the forms of misrepresentation, omission, and deliberate concealment—to mask the Temu app's behavior, hide the fact that PII is being siphoned from the user's device, and prevent the user from knowing that said PII is subject to unfettered use by other individuals and an adversarial government," the lawsuit alleged.

Original Submission