Temu accused of data risks after sister app was suspended for malware (2024)

In just 17 days after launch, Temu surpassed Instagram, WhatsApp, Snapchat and Shein on the Apple App Store in the U.S., according to Apptopia data shared with CNBC.

Stefani Reynolds | Afp | Getty Images

The U.S. has accused discount shopping site Temu of possible data risks after its Chinese sister app was pulled from Google's app store over "malware" — but analysts say they're not that worried.

Compared to Pinduoduo, which was suspended by Google in March after versions offered outside Google's Play store were found to contain malware, Temu is "not as aggressive," one analyst said.

The malware in Pinduoduo was found to leverage specific vulnerabilities for Android phones, allowing the app to bypass user security permissions, access private messages, modify settings, view data from other apps and prevent uninstallation.

Google called it an "identified malicious app" and urged users to uninstall the Pinduoduo app, but the Chinese online retailer denied those claims.

According to analysis by Kevin Reed, chief information security officer at cybersecurity firm Acronis, Pinduoduo requests for as many as 83 permissions — including access to biometrics, Bluetooth and information about Wi-Fi networks.

"Some of these permissions Pinduoduo is asking seems to be unexpected for an e-commerce app," said Reed, who shared his analysis of both apps with CNBC.

"But Temu is not as aggressive as Pinduoduo that is requesting all kinds of privileges," said Reed.

Pinduoduo is a China-based e-commerce app that sells everything from groceries to clothing. It is the flagship product of Nasdaq-listed Chinese company PDD Holdings which also owns Temu. Temu's headquarters are located in Boston.

Pinduoduo is much more aggressive in collecting users' information and obviously transfer it back to the company.

"There should be no need for biometric data to be stored on an e-commerce website or app. I personally wouldn't want my biometric data to be stored anywhere else other than my device," said Sean Duca, vice president and regional chief security officer for Asia Pacific and Japan atcybersecurity firm Palo AltoNetworks.

"Biometrics have a lot greater value than anything else, because I can't simply change my fingerprint at all, unlike passwords," said Duca.

He also questioned why access to Wi-Fi information was necessary. If it is corporate Wi-Fi that the user is connected to, it will "become a very lucrative target for cyber criminals where they start to actually gain access to this information," cautioned Duca. "But why does an e-commerce provider actually need that?"

What does Temu do?

Temu, dubbed a copycat of fast-fashion label Shein, is taking the U.S. market by storm.

Just 17 days after its launch in September, the app surpassed Instagram, WhatsApp, Snapchat and Shein on the Apple App Store in the U.S., according to Apptopia data shared with CNBC. It launched in the U.K. in March, just weeks after entering Australia and New Zealand.

The fact that Pinduoduo "has requested even more permissions than Temu app even though they seem to be a similar kind of applications seems over-intrusive to me," said Reed.

"Pinduoduo is much more aggressive in collecting users' information," said Reed who claimed the data was "obviously [transferred] back to the company."

PDD Holdings did not respond to CNBC's request for comment regarding those permissions.

In comparison, the Temu app requests for 24 permissions, said Reed. Some of these permissions include access to Bluetooth and information about Wi-Fi networks.

I am less worried about the shopping apps than social media platforms like TikTok and Lemon8.

Lindsay Gorman

Senior fellow for emerging tech, German Marshall Fund

"There have been no reports of the malicious functionality present in official Play, App Store or third-party versions of Temu. The keys used to sign the Pinduoduo malware are not the same keys used to sign the Temu app," said Daniel Thanos, vice president and head of Arctic Wolf Labs, the threat intelligence arm of cybersecurity firm Arctic Wolf.

"Based on our analysis, it appears that this malware is targeting Chinese users primarily, as it appears to target devices usually sold and used in China such as Xiaomi, Vivo, Oppo, Samsung, etc, and their corresponding applications," said Thanos. PDD Holdings did not immediately respond to CNBC's request for comment.

Data risks

In a report on Chinese "fast fashion" platforms published in April, the U.S.-China Economic and Security Review Commission accused Temu and Shein of posing possible data risks.

Shein and Temu "primarily rely on U.S. consumers downloading and using Chinese apps to curate and deliver products," said the report.

"These firms' commercial success has encouraged both established Chinese e-commerce platforms and startups to copy its model, posing risks and challenges to U.S. regulations, laws, and principles of market access," it said.

Chinese-owned apps face intense scrutiny in the U.S. over security concerns. U.S. lawmakers have cautioned thatany Chinese-owned apps could be vulnerable to data privacy breaches or interference from the Chinese government.

While politicians often accuse Chinese companies of handing data over to the Chinese government, there is no evidence to support such claims.

"But there's also a larger play here, which is many other apps that are not talked about are also collecting information and have been doing so for such a very long time," said Duca, noting it is more of a systemic problem.

Read more about tech and crypto from CNBC Pro

This self-driving car technology stock could pop by more than 400%, say three analysts

Looking for alternatives to Nvidia? Futurum CEO names 3 he's bullish on for 2024

Bernstein tech analyst's best idea for 2024 is to short Tesla

Morgan Stanley picks 'alpha' opportunities in China tech - giving one 52% upside

One analyst said she was less worried about shopping apps than social media platforms such as TikTok and its sister app Lemon8.

"From a national security standpoint, in addition to creating user profiles with all these data, social media platforms also have the ability to select, promote and demote content based on opaque metrics that ultimately, we don't really have an insight into," said Lindsay Gorman, senior fellow for emerging tech at the German Marshall Fund.

For shopping apps, the "real sort of content influence" may be Chinese companies promoting their products which "feels less of a threat to democracy," said Gorman. Instead, social media apps could promote content about political topics which are much harder to track, she said.

TikTok faces a possible ban in the U.S. after its CEO Shou Zi Chew's testimony before Congress, which failed to quell lawmakers' concerns about the app's ties to China or the adequacy of Project Texas, its plan to store U.S. data on American soil.

"ByteDance is not owned or controlled by the Chinese government. It's a private company," Chew said during the hearing.

Temu accused of data risks after sister app was suspended for malware (1)

watch now

VIDEO3:1803:18

I don't think a shutdown or ban of TikTok is needed, analyst says

Squawk Box Asia

In his first public interview since the congressional hearing, Chew said at the TED2023 conference last week: "We are building all the tools to prevent any of [Chinese government interference in U.S. elections] from happening."

He said he was "very confident" the risk can be reduced to as close as zero with the company being "very, very far along" withProject Texas.

Another analyst, Glenn Gerstell, senior advisor at Center for Strategic and International Studies, said these apps are "ultimately controlled by Chinese parties and that's what the American political system is going to be focused on." Geopolitical tensions with China will continue to put Chinese apps under scrutiny.

"It may be that if we got more sophisticated, we'd be able to distinguish one app from another and create a safer, more limited and controlled space. But right now, we don't have that system in place," said Gerstell.

Temu accused of data risks after sister app was suspended for malware (2024)

FAQs

Temu accused of data risks after sister app was suspended for malware? ›

The US government accused Temu of potential data risks after Google suspended its sister site, e-commerce platform Pinduoduo, for containing malware. According to CNBC, analysts say Temu is less of a threat, and the risks associated with Pinduoduo were targeted at Chinese users.

Does the Temu app have malware? ›

Temu is now the target of several class action lawsuits, one of them claiming that once the Temu app is downloaded, it has access to nearly everything on a user's phone. This lawsuit alleges that Temu uses malware and spyware to collect user data beyond what's necessary for an online shopping app.

What are the security risks of Temu? ›

People are also concerned that Temu might be collecting more personal data than it needs to operate the app. This is partly due to its parent company, Pinduoduo, which was previously accused of using malware to spy on users and removed from the Google Play Store.

What has Temu been accused of? ›

The opportunity to bag a cheap goods may seem tempting, but Temu has been accused of unreliable service and data misuse. US lawmakers have also said there is an “extremely high risk” some products are made using forced labour. Here, we look at how Temu works and what you should consider before using the platform.

Does Temu spy on your phone? ›

If you download Temu's app, you're going to find that you are allowing an enormous invasion of your privacy,” said Boston 25 News Consumer Adviser Clark Howard. “You're giving them permission to look at so much of your personal, private stuff that's on your phone.”

Is Temu spying on Americans? ›

Well, according to one congressman, the app may be spying on you. In a letter to President Joe Biden, Senator Tom Cotton (R-AR) has raised the alarm over the popular shopping app, alleging that the Chinese-owned platform may be “harvesting vast amounts of personal information from American consumers.”

What is the warning about Temu? ›

Jake Moore, Global Cyber Security Advisor at ESET, warns that the cash is 'not free' and giving away your data for money can be 'very dangerous down the line'. He explained: 'This app is effectively offering money, not for free, but it's offering money in exchange for personal data and device data.

What are the toxic chemicals in Temu? ›

Reports reveal elevated levels of lead, PFAS, and phthalates in fast fashion items. Temu's products, like those of its peers, harbor these toxins. In fact, Health Canada revealed that a Shein children's jacket contained more than 20 times the allowable amount of lead for children's products.

What can Temu do with your data? ›

According to Temu's privacy policy, the company does not "sell" your data -- for money, at least. However, Temu does share your information with shipping affiliates, marketing providers, and consumer research companies, which in turn generates revenue for Temu.

How to protect your data from Temu? ›

Using a VPN (Virtual Private Network) is also safe as it protects and encrypts your connection data.

Should I delete the Temu app? ›

Key Takeaways

Say goodbye to junk products and wasted money by deleting your Temu account today. Avoid data privacy concerns and deceptive advertising tactics by removing yourself from Temu's platform. Take control of your personal information and avoid Temu's shady schemes and false promises.

Is the temu app safe to install? ›

Safety concerns have been raised around Temu and its data-gathering practices. According to a report by Grizzly Research, the app has the potential to escalate its privileges once installed, harvesting more user data than it really needs to operate.

Is using Temu safe? ›

Temu is not accredited by the Better Business Bureau (BBB) and has an average rating of two-and-a-half out of five stars. Many recent complaints about Temu on the BBB website say that items never arrived or took weeks or even months to arrive.

Can Temu access your camera? ›

TEMU's app references access to the users' camera and microphone, whenever the app is running.

Should I delete the temu app? ›

Key Takeaways

Say goodbye to junk products and wasted money by deleting your Temu account today. Avoid data privacy concerns and deceptive advertising tactics by removing yourself from Temu's platform. Take control of your personal information and avoid Temu's shady schemes and false promises.

References

Top Articles
Latest Posts
Article information

Author: Frankie Dare

Last Updated:

Views: 6105

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Frankie Dare

Birthday: 2000-01-27

Address: Suite 313 45115 Caridad Freeway, Port Barabaraville, MS 66713

Phone: +3769542039359

Job: Sales Manager

Hobby: Baton twirling, Stand-up comedy, Leather crafting, Rugby, tabletop games, Jigsaw puzzles, Air sports

Introduction: My name is Frankie Dare, I am a funny, beautiful, proud, fair, pleasant, cheerful, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.