Arkansas has sued the makers of the e-commerce platform Temu over alleged deceptive trade practices. The state claims the shopping app is “dangerous malware” abusing system permissions to steal user data. The lawsuit also raises security concerns over the platform’s Chinese origin.
Temu is malware disguised as shopping app, Arkansas lawsuit claims
Launched in the US in 2022, Temu is an online shopping platform owned by PDD Holdings. Originally a Chinese company, PDD Holdings shifted its headquarters to Ireland last year. The firm also runs a separate shopping app called Pinduoduo in China, which security researchers previously labeled as potential spyware. In March 2023, Google briefly removed the latter from the Play Store after some of its “off-Play versions” were found to contain malware.
In his official complaint, Arkansas Attorney General Tim Griffin linked the two apps. Since Temu came several years after Pinduoduo and made its global debut in the US, Griffin believes it was modeled off its Chinese version and may have the same security lapses. “Temu purports to be an online shopping platform, but it is dangerous malware, surreptitiously granting itself access to virtually all data on a user’s cell phone,” the lawsuit begins.
It goes on to make sweeping claims accusing the app’s makers of purposefully designing it to override privacy settings and gain unrestricted access to unnecessary user data. Griffin says Temu sells user data to third parties to make money, violating the privacy rights of Arkansas citizens. The Arkansas AG also pointed to Apple’s now-resolved concerns about the shopping app’s compliance with data security transparency standards in the US and Europe.
Moreover, Griffin’s lawsuit cites findings by an independent research firm saying Temu can potentially hack users. The number of system permissions and the amount of data it can access is too high for a shopping app. It “sneaks” permissions to gain access to the user’s location, saved files, storage device, and more, which aren’t critical to its normal functioning. Temu also collects sensitive or personally identifiable information that it doesn’t need.
Temu’s Chinese ties are a security threat
Arkansas’ lawsuit against Temu goes beyond labeling it as “malware” and raises security concerns over the app’s Chinese ties. Griffin says Temu’s leadership team is “a cadre of former Chinese Communist Party officials.” As such, the platform is a significant security threat to US citizens. This lawsuit seeks an order enjoining the platform’s deceptive trade practices and privacy violations. It also seeks civil penalties and other monetary and equitable relief.
“Temu is not an online marketplace like Amazon or Walmart. It is a data-theft business that sells goods online as a means to an end,” Griffin said in an official statement. “Though it is known as an e-commerce platform, Temu is functionally malware and spyware. It is purposefully designed to gain unrestricted access to a user’s phone operating system. It can override data privacy settings on users’ devices, and it monetizes this unauthorized collection of data.”