TEMU Is Cleverly Hidden Spyware That Poses an Urgent Security Threat to U.S.

A bit off topic, but this website has some of the most draconian TOS I&#x27;ve ever seen<p>&gt; You agree that the information on this website is copyrighted, and you therefore agree not to distribute this information (whether the downloaded _le, copies &#x2F; images &#x2F; reproductions, or the link to these _les) in any manner other than by providing the following link: <a href="http:&#x2F;&#x2F;GRIZZLYREPORTS.COM" rel="nofollow noreferrer">http:&#x2F;&#x2F;GRIZZLYREPORTS.COM</a><p>So this HN submission is in violation of their (probably unenforceable) TOS just by virtue of linking to a path other than the root path of the domain.<p>&gt; If you have obtained research published by Grizzly Research LLC in any manner other than by download from that link, you may not read such research without going to that link and agreeing to the Terms of Use on the Grizzly Research LLC designated website.<p>Quite ridiculous to expect that you can enforce a directive (don&#x27;t read this article) on someone who hasn&#x27;t visited your site and is therefore probably unaware that your TOS even exist.

&gt; TEMU is estimated ( Link ) to be losing $30 per order. Its ad spending and shipping costs (1-2 weeks from China, expedited to U.S. delivery) are astronomical. One is left wondering how this business could ever be profitable.<p>This has literally been every startup in SV for the last 15 years - aggressively lose money aquiring users when new and then when you&#x27;ve killed the competition, start making money. The only thing is I don&#x27;t see any external funding, so maybe they&#x27;re doing it with hidden funding or a stockpile from PDD?<p>This feels like a lot of weak sauce, from the weird combo of clickbait title with CYA &quot;We Believe&quot;, throwing a bunch of weak evidence all at once, overwhelming you into accepting the premise. If you have &quot;smoking gun&quot; evidence like they claim, then you wouldn&#x27;t need to hedge your statement with &quot;We believe&quot;. And this is a investment research company, not a security company. I&#x27;d sooner believe a pillow salesman ranting about the deep state than this.<p>~Edit~ Counterpoint: looks like their other main product Pinduoduo was removed from Google Play due to malware, so it could actually be true. <a href="https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2023&#x2F;03&#x2F;google-suspends-chinese-e-commerce-app-pinduoduo-over-malware&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2023&#x2F;03&#x2F;google-suspends-chinese-...</a><p>But I stand by my previous statement that literally nothing in this article is actual evidence, so if does turn out to be true it&#x27;s a coincidence.

&gt; 1) Dynamic compilation using runtime.exec()<p>&quot;cmd package compile&quot; doesn&#x27;t compile source code at runtime. It forces ahead-of-time compilation of an application&#x27;s existing bytecode, which is something which Android already does on an as-needed basis. I&#x27;m not sure why the Temu app would be running this command (performance, maybe?), but it isn&#x27;t clearly dangerous either.<p><a href="https:&#x2F;&#x2F;source.android.com&#x2F;docs&#x2F;core&#x2F;runtime&#x2F;jit-compiler" rel="nofollow noreferrer">https:&#x2F;&#x2F;source.android.com&#x2F;docs&#x2F;core&#x2F;runtime&#x2F;jit-compiler</a><p>The rest of the analysis doesn&#x27;t seem much better, e.g.<p>&gt; 3) TEMU queries information related to files, and not just its own files, but wants information on all files on the user’s device by referencing “EXTERNAL_STORAGE”, superuser rights and log files.<p>The EXTERNAL_STORAGE permission is literally just external storage, like the name implies. It doesn&#x27;t grant access to files in internal storage, like other applications&#x27; data or system logs.<p>&gt; 5) “Root” access. TEMU checks if a device has “root” access.<p>Yes, this is fairly common. (And indeed, the table at the top of the report notes that most of the other shopping apps they analyzed did this.)<p>&gt; 6) Encryption, decryption and shifting integer signals libraries are in prior versions of Pinduoduo and TEMU apps. The only purpose of this is obscuration of malicious intent.<p>I&#x27;m not even sure what they&#x27;re trying to suggest by this. Are they actually assuming that any use of bit-shifting operators is malicious?<p>&gt; 10) [...] The TEMU app even reads and stores the MAC address, which is a unique and global hardcoded network identifier of a device. This is a big No No in internet security. A Distributed Denial of Service (DDOS) attack and other unwanted security probes could conceivably be launched against a disclosed MAC address.<p>This is complete nonsense. MAC addresses don&#x27;t work like that.<p>&gt; 11) Looking over your shoulder while you use your smartphone. TEMU calls getWindow().getDecorView().getRootView(), to make screenshots<p>That only captures the appearance of the Temu application, not other applications on the system.

A long writeup but very few facts:<p>&gt; TEMU is estimated ( Link ) to be losing $30 per order. Its ad spending and shipping costs (1-2 weeks from China, expedited to U.S. delivery) are astronomical. One is left wondering how this business could ever be profitable.<p>&gt; TEMU is a notoriously bad actor in its industry. We see rampant user manipulation, chain-letter-like affinity scams to drive signups, and overall, the most aggressive and questionable techniques to manipulate large numbers of people to install the app.<p>&gt; TEMU is demonstrably more dangerous than TikTok. The app should be removed from the Google and Apple app stores.<p>Grizzly Reports (<a href="https:&#x2F;&#x2F;twitter.com&#x2F;ResearchGrizzly" rel="nofollow noreferrer">https:&#x2F;&#x2F;twitter.com&#x2F;ResearchGrizzly</a>) is &quot;focused on producing differentiated research insights on publicly traded companies through in-depth due diligence.&quot;<p>This seems like low quality junk to me.

This is some kind of Walmart version of Hindenburg research. Even copying their website style.<p>Are they short PDD? Tough choice considering china stocks are so manipulated you’ll go broke before the truth is revealed.

I&#x27;m not exactly an Android expert but... android.permission.INSTALL_PACKAGES, getRuntime.exec()... these basically are permissions for remote code execution, are they not?<p>I think this blogpost is hyperbolic in its discussion and that&#x27;s a bit unhelpful. But this does look like a serious problem on my first glance. I&#x27;d like to see what a real Android-developer thinks about these permissions though.

Interesting. Recently ordered from them for giggles just because the pricing was crazy yet people seem to be getting their stuff. Even mentioned to a friend that something feels very off commercially here - like something is aggressively subsidised.<p>Also Noticed that they were specifically pushing in app purchases hard with discounts etc.<p>…but didn’t connect the dots between those two odd things.

I suspected something like this, given how aggressive the marketing and ludicrous the claims have been.<p>Which is why I&#x27;m three times as suspicious of this site, which makes similarly ludicrous claims under the guise of malware research, like being able to DDoS a revealed MAC address. I am supposed to believe this article, whether or not it&#x27;s true.<p>I understand the need to scattershot claims - if they just said &#x27;TEMU has the ability to install packages onto your phone&#x27; then TEMU would issue some apology and release a new version that&#x27;s sneakier about it.<p>But please, instead of smacking me in the face with a TOS&#x2F;disclaimer that&#x27;s supposed to ward off litigation over false&#x2F;misleading claims, just don&#x27;t publish false&#x2F;misleading claims! Because that gives <i>them</i> the ammunition to say &#x27;the stuff people are saying about TEMU is all lies&#x27;.

The analysis in this post, as others have pointed out, is quite poor. I still wouldn&#x27;t install the app, especially after the Pinduoduo scandal earlier this year (which <i>was</i> well substantiated), but this isn&#x27;t very good evidence.

Scariest thing here is the `write_external_storage`. Is this just going to install trojan horse things onto SD cards&#x2F;memory sticks?<p>The time is coming for Apple to support iCloud private relay for all 3rd party apps. Ideally nothing is leaving the phone without it shortly.

Is it me or is this an over the top not very trust worthy article designed to move the stock market?

Why is it only foreign software is fingered as malware? I have no doubt this is extraordinarily malicious software, but so was google ads, so was facebook, so were the app stores on our phones.

As I said in another comment, I would not be surprised if TEMU is spyware.<p>This website is questionable and I could really only find this other source or ones like it: <a href="https:&#x2F;&#x2F;www.usatoday.com&#x2F;story&#x2F;tech&#x2F;columnist&#x2F;komando&#x2F;2023&#x2F;04&#x2F;20&#x2F;delete-temu-app-cybersecurity-expert-advice&#x2F;11667796002&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.usatoday.com&#x2F;story&#x2F;tech&#x2F;columnist&#x2F;komando&#x2F;2023&#x2F;0...</a><p>Still light on details and Im not sure who this Komanda person is but there is some real appeal to authority going on and no hard evidence of the claims.<p>Again, I would not be surprised if it was spyware and it seems wise to be suspicious. Hopefully we get more information.

Weird website aside, I would not at all be surprised that TEMU is spyware.

A few thoughts.<p>I’d honestly estimate 20% of the ads I see on websites now are TEMU. I’ve never clicked on one, and will never sign up. If they stop advertising the ad market will feel the waves.<p>The products being advertised to me are WILDLY irrelevant. It feels like they’re just shooting a shotgun into the air.<p>It looks like they’re selling only the cheapest stuff, like cutting the middleperson of the FIVE CAPITAL LETTER brand names that use Amazon Marketplace. As much as I don’t trust a plunger or measuring cup from HYYNA, I trust TEMU quality even less.

Its interesting that the Amazon app requests more questionable permissions than TikTok

&gt;IMPORTANT LEGAL DISCLAIMER<p>THIS REPORT AND ALL STATEMENTS CONTAINED HEREIN ARE THE OPINIONS OF GRIZZLY RESEARCH LLC AND ARE NOT STATEMENTS OF FACT.

Surprisingly, for almost all the things that I&#x27;ve bothered to compare, Amazon is actually cheaper than Temu. Even cheap toys from China that I thought would be Temu&#x27;s bread and butter. And of course the shipping is no contest. The deals look good in their app but try searching for the same item on Amazon and I bet you will be surprised.<p>Temu sometimes gives you more flexibility to order a single copy of small items while Amazon might only have bundles. But then Temu has a minimum order size you must meet while Amazon doesn&#x27;t. So I haven&#x27;t found any reason to use Temu after their ridiculous free money coupon for new users is gone.

What are the oh-so-deep discounts you guys see, that could justify that $30 figure. I mean, I&#x27;m seeing the same stuff from Aliexpress, at about the same price, with free shipping. Just another chinese marketplace like banggood, dhgate, etc. Or am I missing some crazy subsidy because I&#x27;m not from the US?

Why would temu try be spyware any more than google is spyware? I feel like doing something abnormally super sketchy is too high risk for them given how much stuff they sell and how much money they on their brand.

<a href="https:&#x2F;&#x2F;www.joom.com&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.joom.com&#x2F;</a> has such great design and UX that I had to try it and it worked great (about 5 orders)

Why is everyone using this site? What&#x27;s wrong with aliexpress?

Weird tos. I&#x27;m not clicking agree on that.