Temu—the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it—is “dangerous malware” that’s secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit filed Tuesday.
Griffin cited research and media reports exposing Temu’s allegedly nefarious design, which “purposely” allows Temu to “gain unrestricted access to a user’s phone operating system, including, but not limited to, a user’s camera, specific location, contacts, text messages, documents, and other applications.”
“Temu is designed to make this expansive access undetected, even by sophisticated users,” Griffin’s complaint said. “Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community’s icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
deleted by creator
If this is actually possible then isn’t that a huge security vulnerability in Android and/or iOS? I feel if this was the case we’d be hearing about it from security researchers rather than a lawyer.
I’d believe it because I remember the same being true for TikTok.
I don’t have the links on me right now, but I remember clearly that when tiktok was new, engineers trying to figure out what data it collected found that the app could recognize when it was being observed, and would “rewite” itself to evade detection.
They noted that they’d never seen this outside of sophisticated malware, and doubted that a social media company had the resources to write such a program.
Em… writing a different manifest and asking the OS to reinstall itself, is not rocket science. Detecting that it’s running in a testing environment and not asking for permission to access some types of data, is also quite easy. Downloading a different update or modules depending on which device and environment it gets installed to, is basic functionality.
It’s still sneaky behavior and a dark pattern, but come on.
Uh, as someone who does malware analysis, sandbox detection is not easy, and is certainly not something that a non-malware-developer/analyst knows how to do. This isn’t 2005 where sandboxes are listing their names in the registry/ system config files.
I haven’t done sandbox detection for some years now, but around 2020, it was already “difficult” as in hard to write from scratch… yet already skid easy as in “copy+paste” from something that does it already. Surely newer sandboxes take more stuff into account, but at the same time more detection examples get published, simply advancing the starting point.
So maybe TikTok has a few people focused on it, possibly with some CI tests for several sandboxes. I don’t think it’s particularly hard to do 🤷
I found at least one of the posts, and you’re right, that’s not really what impressed them. It just stuck with me because I’m a hardware girl.
There is some irony to be had, in discussing this stuff on a page that starts by asking me to login, then to be good and disable my ad blocker, only to proceed with keeping half the text of the article as images so you can’t copy+paste it… and even all the comments!
Anyhow…
😈 Thanks for telling us where you got the link from, I didn’t really care. 😁
Static backup (possibly): https://archive.is/UD2SA
Check out: https://amiunique.org/fingerprint
No app needed!
Using that as a baseline… the CPU type, memory usage, disk space, etc. are some extra data points freely available to all apps.
A developer can distribute an app with multiple versions, some targeting more modern and capable devices, some older and more limited. It’s a feature, not a bug!
This is overreaching for an app that has nothing to do with managing other apps. Still, you may want some app with those capabilities… so let’s call it “sus”.
Your IP is… well, you’re using it to connect, they will see it, duh.
The rest is overreaching and comes into PI violation terrain, but can be used for geo location… the OS does it, that’s the data it uses to fine-tune the GPS’s location.
Typical feature for banking ad DRM protected apps. Nothing to see here.
Best answered by a comment [1] (SEE BELOW).
TL;DR: more DRM stuff.
This is somewhat sus, but a local proxy by itself, doesn’t mean any sort of risk, or that it could be exploited.
For example, Tor can be accessed using a local proxy (although VPN mode is safer).
Not exactly. It’s how feature flags, and remote testing/debugging works too.
This is worse (why do they use a custom OLLVM fork?), and obfuscation usually means they have something to hide. It’s the opposite of security for the user.
Not good, but unfortunately allowed. That behavior is shared by both DRM protected software, and malware.
False.
There are two legitimate reasons: plugins, and DLCs.
It can be used for shady stuff, but is also a “feature, not a bug”.
Well, that’s just stupid, there is zero reason to send data unencrypted.
Ehm… this is the correct behavior. See previous point.
Sus… but see the introductory part of this comment. Should boredpanda also be banned?
This is bad, and a reason to use FLOSS apps… but since it’s been an accepted behavior for Privative Software, along with DRM… don’t blame the player, blame the game.
No, seriously, blame the DMCA and friends. There is no way to at the same time “enforce DRM, keep a copy of all keys at a trusted third party, and keep users secure”… so the current situation is “you get none of those”.
[1]
Thanks for the analysis and insight!
deleted by creator
So just like the majority of USAian apps out there? I think Temu fits right in. Why are people so concerned about what China is doing with their data, but not the very countries they live in or (more importantly) the dominant online surveillance presence: the USA?
Anti Commercial-AI license
Believe it or not, I can be concerned about both.
The difference is, the place where I live has some data privacy regulations which actually get enforced, and I have some legal recourse against organizations which mishandle my data. China does not have such regulations and I do not have any recourse against organizations based there, so my risk from them is significantly higher.
Yes you can, most people aren’t. In real life, by far the most common response I’ve gotten when talking about privacy is 😴 . My colleagues in tech will hotly debate China’s surveillance, but happy use face ID on their iPhone, upload their entire life to Google or iCloud (including recordings of therapy sessions), send their blood into do a heritage check, nearly exclusively use Amazon for shopping, have an Amazon Ring camera at their door, and so much more.
You are the minority.
Anti Commercial-AI license
Why not use the English word for an entity that resides in the USA: American?
Because it’s imperialist and racist to pretend that USA is America.
Because I find USAian more appropriate. USA isn’t a representative of two entire continents.
Anti Commercial-AI license
Oh so youre just a contrarian. Got it.
Looks like his usage of term got a desired result here lol
Did you mean, “Yankee”?
https://www.merriam-webster.com/dictionary/American
https://www.merriam-webster.com/dictionary/Yankee
Russian/Chinese software contains spyware: 😡😡👿👿💢💢
US software contains spyware: 😇👉👈
Unsurprisingly, defenders of dictatorships always have to resort to whataboutism to defend the indefensible.
As per usual, this whataboutism is lazy and inaccurate as well.
I mean, I don’t like either malware. They are banning tiktok due to security and spying on US citizens, as well as some election interference. These are all things that FAANG can and will do, but since they’re American it isn’t regulated nearly as much as they should be. All invasions of privacy are bad, it’s not whataboutism to call out the holes our regulations have by being overly specific to only “adversarial countries”.
deleted by creator
You do realize that license doesnt do anything, right? Facebook tier logic right there
This comment © 2024 by jarfil is licensed under CC BY 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by/4.0/
No they don’t. It’s not only not applied to their comment, but also misnamed.
Furthermore, its posted on lemmy, which that license overrides the license on the comment
That… depends.
Lemmy is just a carrier software, its license has nothing to do with comments.
Instances however, each have their own TOS and can enforce license controls.
Ideally, all comments should have a “license” field, so stuff like instances with ads on them, or subscription-only instances, or CC0/CC-AS only instances, could inform other instances of their rights, and avoid comments that don’t meet their policies.
Good job on not reading it and understanding absolutely nothing 👏
Anti Commercial-AI license
Why would I? Putting a license in your comment doesnt mean anything, its not legally binding in anyway
One thing that’s obvious here on Lemmy is that whataboutism works only in one direction. If an article is critical of China, Russia, Iran, or other dictatorships, you’d read, “But about U.S./EU/the West”. But there are tons of articles here critical of Western countries, and it’s accepted. Why is this? Just wumaos?
Lemmy was designed to be a place where communists would have a community. Some instances weren’t, but a lot of the original ones were.
Yeah, these are the ‘tankies’ who got banned on Reddit, right? I guess it takes time until they get a minority, but it’s good that the community grows steadily.
It’s funny that every time someone points out the pot calling the kettle black the training kicks in to shout “whataboutism” and it must be “wumao”. It’s almost a meme. You don’t think an article about Xi Ping’s government warning about USAian surveillance would be mocked and ridiculed due to their Great Firewall? That wouldn’t be “whataboutism” though, right? It would be a “critical opinion”?
Anti Commercial-AI license
And the next whataboutism! What a waste of time.
Not sure if you’re trolling now 😂 Good meme.
Anti Commercial-AI license
Not possible. The CCP doest “warn”, it orders to block the app/site/word/photo, and it never existed. Anyone daring to say that it did, or to warn of stuff the CCP didn’t say, gets imprisoned or worse (see: the doctor who dared to warn abot COVID, instead of following CCP’s truth).
Because people live there and that’s what they care about.
Also this article is shiti propaganda. Is temu shite… Ya, you ain’t got to use.
Good luck trying to have a normal life without use big tech lol
Which is a lot more dangerous than temu or tiktok from personal privacy and security perspective.
I’m not sure I understand why this question comes up everytime some chinese app is in a news article.
Anyway, it should not come as a surprise, but “Arkansas Attorney General Tim Griffin”, someone who works as AG for a state in the US, presumably is more interested in US interests than Chinese interests, and presumably places more trust in the government and businesses of the country he lives in than in the government (and businesses, for where there’s a distinction anyway) of the country of his nation’s economic rival.
Which apps do that? Because I am certain it’s NOT the majority, and very skeptical about any other apps doing that.
More about the part about stealing information. Most people barely look at permissions.
or
All Temu had to do was ask and people would grant it.
Anti Commercial-AI license
On modern Android, apps need to ask for each permission when they’re about to use it for the first time. Not sure about Apple.
Google Play will also periodically revoque permissions to apps that haven’t used them for some time.
🤖 I’m a bot that provides automatic summaries for articles:
Click here to see the summary
Temu—the Chinese shopping app that has rapidly grown so popular in the US that even Amazon is reportedly trying to copy it—is “dangerous malware” that’s secretly monetizing a broad swath of unauthorized user data, Arkansas Attorney General Tim Griffin alleged in a lawsuit filed Tuesday.
Griffin fears that Temu is capable of accessing virtually all data on a person’s phone, exposing both users and non-users to extreme privacy and security risks.
In their report, Grizzly Research alleged that PDD Holdings is a “fraudulent company” and that “Temu is cleverly hidden spyware that poses an urgent security threat to United States national interests.”
Investigators agreed, the lawsuit said, concluding “we strongly suspect that Temu is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure."
Researchers found that Pinduoduo “was programmed to bypass users’ cell phone security in order to monitor activities on other apps, check notifications, read private messages, and change settings,” the lawsuit said.
A Temu spokesperson provided a statement to Ars, discrediting Grizzly Research’s investigation and confirming that the company was “surprised and disappointed by the Arkansas Attorney General’s Office for filing the lawsuit without any independent fact-finding.”
Saved 78% of original text.
starting to think that politicians have no clue about how technology works.