Temu – more Chinese spyware – the catch in cheap online shopping

Dr Arathi Arakala, program manager of the Masters in Cyber Security program at RMIT (Royal Melbourne Institute of Technology) University, found that Temu is a cybersecurity risk that ‘hoovers up’ consumer data from its website, app, and social media.

TEMU’s privacy and cookie policy states the type of data it collects includes user data essential for its service such as address, phone number and payment details.  However, it also may collect other information that can be extracted through our profiles, such as photographs, interests, shopping history, links to profiles on social networks, and government-issued identification. Additionally, TEMU explicitly states their business partners may capture information about us, our computer or device, and our location. As consumers, we must be aware of what data we intentionally agree to share and what data is being silently captured by the app.

Professor Asha Rao, a Cyber security expert at the School of Science at RMIT, said,

It is important to ask ourselves whether we want our data to be used in locations and by entities we did not authorise. Are we sacrificing our privacy for a cheap avocado slicer?

Anti-virus/malware firm Kaspersky said Temu/Pinduoduo’s shopping app platform was particularly egregious. Temu uses 18 of the most dangerous Android system calls. Items 1, 4, 10 and 15 are the worst and not permitted.

Read a technical report here.

USA experience – Class action

Temu’s parent company and its app Pinduoduo is malware spying on other apps, reading notifications and messages, and changing system settings. The App requests 24 more permissions than necessary including access to biometrics, Wi-Fi network info, Bluetooth, photos, videos, phone, message, contact info and payment details. And it is almost impossible to remove.

Google has removed the “identified malicious app” from its Play Store. Pinduoduo said it strongly rejects “The speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google.”

 Greenback washing

Temu claims it is a Boston-based online retailer listed on NASDAQ with no ties to China (TikTok says this, too). Investigation shows that it has the same owner and uses the same shopping software platform as Chinese social commerce giant Pinduoduo, which has approximately 900 million users. Many Chinese companies claim US heritage to gain credibility with Western markets.

It has also moved its HQ to Ireland to minimise tax and other legislative issues.

Cheap is as cheap does

There seems to be little impediment to listing counterfeit and illegal goods sold on its platform. In addition, thousands of ‘problematic’, unsafe (by Australian Consumer Law standards), or misdescribed goods are endemic to its merchant listing system. Getting returns and refunds is a huge issue.

In April 2019, Temu/Pinduoduo was first named in the Office of the United States Trade Representative’s list of Notorious Markets for Counterfeit Products and Piracy. Despite undertakings from the company, it is still on the list.

Respected analysts Bain and Company said a business model based on extreme discounts and promotions is not sustainable. We ask where the funding is coming from and what strings are attached.

State Sponsored? The US thinks so

Like TikTok, the real ownership or imprimatur is deeply concealed. So, too, are the AI and algorithms behind the apps and how they exfiltrate extremely valuable data to give the Chinese Communist Party access. Worse still, they can exert control over your devices. A deeper investigation reveals that it is heavily backed by State-owned Chinese tech giant Tencent and integrated into its WeChat messaging app.

Current and former Temu/Pinduoduo employees told CNN that the company has a specific initiative to discover Android vulnerabilities and develop exploits. Why would a shopping app do that unless it is to destabilise an economy in times of turmoil?

Chinese-owned apps face intense scrutiny in the U.S. over security concerns.

U.S. lawmakers have cautioned that any Chinese-owned apps could be vulnerable to data privacy breaches or interference from the Chinese government.

From a national security standpoint, in addition to creating user profiles with all these data … they can also select, promote, and demote content based on opaque metrics that ultimately, we don’t really have an insight into,” said Lindsay Gorman, senior fellow for emerging tech at the German Marshall Fund.

Another analyst, Glenn Gerstell, senior advisor at the Centre for Strategic and International Studies, said,

These apps are ultimately controlled by Chinese parties. that’s what the American political system is going to be focused on. Geopolitical tensions with China will continue to put Chinese apps under scrutiny.

If you must use Temu

First, remember that Amazon AU and eBay AU are safe. You are risking too much with Temu.

• Install a paid anti-virus/malware program like Trend Micro Device Security Ultimate – excellent broad-spectrum protection.
• Use a junk email address (easy to set up at Google or elsewhere) that you can afford to be hacked.
• Give it false personal information, especially your birthdate and gender.
• Use PayPal to protect your credit card details. PayPal never reveals your credit card number to merchants.
• If possible, use a delivery address that is not your residential address.
• Use the website instead of the app, which needs unnecessary permissions and could steal your data.
• Read privacy terms (often as useless as the digital paper they are written on).
• If a deal sounds too good to be true – it is.
• Never answer questionnaires or provide merchant ratings.

Privacy Policy – a joke

Below are Temu’s 23 pages of Terms of Use and eight pages of Privacy Policy. We did not download the App, but you can expect the terms to be even more comprehensive. We know of few worse companies.

This is a long video but worth the watch.