news

Temu Accused of Data Risks After Sister App Was Suspended for Malware

Stefani Reynolds | Afp | Getty Images
  • The U.S. has accused Temu of potential data risks after Google suspended its Chinese sister app, but analysts are not too worried.
  • "Temu is not as aggressive as Pinduoduo that is requesting all kinds of privileges," said Kevin Reed, chief information security officer at cybersecurity firm Acronis.
  • Temu is taking the U.S. market by storm with discount items from fashion to pet supplies to home goods.
  • "I am less worried about the shopping apps than social media platforms like TikTok and Lemon8," said Lindsay Gorman, senior fellow for emerging tech, German Marshall Fund.

The U.S. has accused discount shopping site Temu of possible data risks after its Chinese sister app was pulled from Google's app store over "malware" — but analysts say they're not that worried.

Compared to Pinduoduo, which was suspended by Google in March after versions offered outside Google's Play store were found to contain malware, Temu is "not as aggressive," one analyst said.

The malware in Pinduoduo was found to leverage specific vulnerabilities for Android phones, allowing the app to bypass user security permissions, access private messages, modify settings, view data from other apps and prevent uninstallation.

Google called it an "identified malicious app" and urged users to uninstall the Pinduoduo app, but the Chinese online retailer denied those claims.

According to analysis by Kevin Reed, chief information security officer at cybersecurity firm Acronis, Pinduoduo requests for as many as 83 permissions — including access to biometrics, Bluetooth and information about Wi-Fi networks.

"Some of these permissions Pinduoduo is asking seems to be unexpected for an e-commerce app," said Reed, who shared his analysis of both apps with CNBC.

"But Temu is not as aggressive as Pinduoduo that is requesting all kinds of privileges," said Reed.

Pinduoduo is a China-based e-commerce app that sells everything from groceries to clothing. It is the flagship product of Nasdaq-listed Chinese company PDD Holdings which also owns Temu. Temu's headquarters are located in Boston.

"There should be no need for biometric data to be stored on an e-commerce website or app. I personally wouldn't want my biometric data to be stored anywhere else other than my device," said Sean Duca, vice president and regional chief security officer for Asia Pacific and Japan at cybersecurity firm Palo Alto Networks.

"Biometrics have a lot greater value than anything else, because I can't simply change my fingerprint at all, unlike passwords," said Duca.

He also questioned why access to Wi-Fi information was necessary. If it is corporate Wi-Fi that the user is connected to, it will "become a very lucrative target for cyber criminals where they start to actually gain access to this information," cautioned Duca. "But why does an e-commerce provider actually need that?"

What does Temu do?

Temu, dubbed a copycat of fast-fashion label Shein, is taking the U.S. market by storm.

Just 17 days after its launch in September, the app surpassed Instagram, WhatsApp, Snapchat and Shein on the Apple App Store in the U.S., according to Apptopia data shared with CNBC. It launched in the U.K. in March, just weeks after entering Australia and New Zealand.

The fact that Pinduoduo "has requested even more permissions than Temu app even though they seem to be a similar kind of applications seems over-intrusive to me," said Reed.

"Pinduoduo is much more aggressive in collecting users' information," said Reed who claimed the data was "obviously [transferred] back to the company."

PDD Holdings did not respond to CNBC's request for comment regarding those permissions.

In comparison, the Temu app requests for 24 permissions, said Reed. Some of these permissions include access to Bluetooth and information about Wi-Fi networks.

"There have been no reports of the malicious functionality present in official Play, App Store or third-party versions of Temu. The keys used to sign the Pinduoduo malware are not the same keys used to sign the Temu app," said Daniel Thanos, vice president and head of Arctic Wolf Labs, the threat intelligence arm of cybersecurity firm Arctic Wolf.

"Based on our analysis, it appears that this malware is targeting Chinese users primarily, as it appears to target devices usually sold and used in China such as Xiaomi, Vivo, Oppo, Samsung, etc, and their corresponding applications," said Thanos. PDD Holdings did not immediately respond to CNBC's request for comment.

Data risks

In a report on Chinese "fast fashion" platforms published in April, the U.S.-China Economic and Security Review Commission accused Temu and Shein of posing possible data risks.

Shein and Temu "primarily rely on U.S. consumers downloading and using Chinese apps to curate and deliver products," said the report.

"These firms' commercial success has encouraged both established Chinese e-commerce platforms and startups to copy its model, posing risks and challenges to U.S. regulations, laws, and principles of market access," it said.

Chinese-owned apps face intense scrutiny in the U.S. over security concerns. U.S. lawmakers have cautioned that any Chinese-owned apps could be vulnerable to data privacy breaches or interference from the Chinese government.

While politicians often accuse Chinese companies of handing data over to the Chinese government, there is no evidence to support such claims.

"But there's also a larger play here, which is many other apps that are not talked about are also collecting information and have been doing so for such a very long time," said Duca, noting it is more of a systemic problem.

One analyst said she was less worried about shopping apps than social media platforms such as TikTok and its sister app Lemon8.

"From a national security standpoint, in addition to creating user profiles with all these data, social media platforms also have the ability to select, promote and demote content based on opaque metrics that ultimately, we don't really have an insight into," said Lindsay Gorman, senior fellow for emerging tech at the German Marshall Fund.

For shopping apps, the "real sort of content influence" may be Chinese companies promoting their products which "feels less of a threat to democracy," said Gorman. Instead, social media apps could promote content about political topics which are much harder to track, she said.

TikTok faces a possible ban in the U.S. after its CEO Shou Zi Chew's testimony before Congress, which failed to quell lawmakers' concerns about the app's ties to China or the adequacy of Project Texas, its plan to store U.S. data on American soil.

"ByteDance is not owned or controlled by the Chinese government. It's a private company," Chew said during the hearing.

In his first public interview since the congressional hearing, Chew said at the TED2023 conference last week: "We are building all the tools to prevent any of [Chinese government interference in U.S. elections] from happening."

He said he was "very confident" the risk can be reduced to as close as zero with the company being "very, very far along" with Project Texas.

Another analyst, Glenn Gerstell, senior advisor at Center for Strategic and International Studies, said these apps are "ultimately controlled by Chinese parties and that's what the American political system is going to be focused on." Geopolitical tensions with China will continue to put Chinese apps under scrutiny.

"It may be that if we got more sophisticated, we'd be able to distinguish one app from another and create a safer, more limited and controlled space. But right now, we don't have that system in place," said Gerstell.

Copyright CNBC
Contact Us