Date: 11/7/2023
Impacted Tech: TEMU App Software
Introduction:
Grizzly Research LLC, a research firm specializing in providing insights on publicly traded companies, has raised serious concerns regarding the shopping app TEMU, labeling it as “covert spyware with alarming implications for U.S. national security.” You can access the complete report here.
TEMU is a shopping application owned by PDD (Pinduoduo) Holdings Inc, a prominent Chinese online retailer. Notably, TEMU has achieved significant global popularity, with nearly 40.54 million downloads recorded as of September 2023.
Highlights:
A closer examination of TEMU’s application reveals numerous alarming features that have set off immediate warning signals. Grizzly’s experts have identified and outlined 18 software functions that are both “inappropriate and potentially hazardous,” typically associated with intrusive applications. TEMU incorporates all of these functions. Here is a breakdown of these functions:
These functions grant the application overly extensive permissions, enabling it to perform actions such as:
- Compiling and executing new programs on local devices.
- Querying, modifying, and transferring files from users’ devices.
- Accessing precise user locations within an approximate 10-foot radius.
- Checking for root access.
- Encrypting and decrypting data.
- Reading users’ system logs.
Additionally, it is worth noting that Chinese companies are generally required to provide access to their entire databases to Chinese government agencies (source).
Pinduoduo, a well-known Chinese budget shopping app, now under the umbrella of PDD Holdings, faced suspension from the Google Play Store in March 2023 due to the discovery of malware in certain app versions. Reports indicated that PDD had assembled a team of 100 programmers to identify and exploit OEM customizations of the Android operating system. It appears that TEMU and previous (malicious) versions of Pinduoduo share similar underlying codebases.
In line with a Wired report, TEMU is believed to be incurring losses of $30 per order, primarily due to substantial expenditures on advertising and shipping costs. Coupled with manipulative user practices, affinity scams to boost sign-ups, and an aggressive advertising scheme, Grizzly suspects that TEMU may already possess or plan to illicitly trade stolen data from Western country users to sustain a profitable business model.
Sources:
https://www.cyberclick.net/numericalblogen/top-10-most-downloaded-apps-of-2020-so-far
https://time.com/6243738/temu-app-complaints/
https://apnews.com/article/technology-business-china-data-privacy-1d3fcbac4549c6968c07897900c96cc3
Vulnerability Alert 