Temu was charged with data troubles behind the sister app and was arrested for malware

May 18, 2023: The U.S. has charged discount shopping site Temu of possible data threats after its Chinese sister app was pulled from Google’s app store over “malware”, but analysts say they’re not worried.

Compared to Pinduoduo, which Google suspended in March after versions offered outside Google’s Play store were discovered to contain malware, Temu is “not as bold,” one analyst stated.

The malware in Pinduoduo was found to leverage specific vulnerabilities for Android phones, which allows the app to bypass user security permissions, access private messages, modify settings, view data from other apps and prevent uninstallation.

Google calls it an “identified malicious app” and urges users to uninstall the Pinduoduo app, but the Chinese online retailer denies those claims.

According to an analysis by Kevin Reed, a chief information security officer at cybersecurity company Acronis, Pinduoduo requests as many as 83 permissions, including access to biometrics, Bluetooth and information regarding Wi-Fi networks.

“Some of these permissions Pinduoduo is questioning seem unanticipated for an e-commerce app,” stated Reed, sharing his analysis of both apps.

“But Temu is not as bold as Pinduoduo that is requesting all kinds of privileges,” stated Reed.

Pinduoduo is a China-based e-commerce app selling everything from groceries to apparel. It is the flagship of Nasdaq-listed Chinese firm PDD Holdings, which owns Temu. Temu’s headquarters are located in Boston.

“There should not be required for biometric data storing on an e-commerce website or app. I wouldn’t want my biometric data to be stored anywhere other than my device,” stated Sean Duca, vice president and the area’s chief security officer for Asia Pacific and Japan at cybersecurity company Palo Alto Networks.

“Biometrics have a lot greater value than anything else because I can’t simply change my fingerprint, unlike passwords,” said Duca.

He also questioned why access to Wi-Fi information was necessary. Suppose it is corporate Wi-Fi that the user is connected to. In that case, it will “become a very lucrative target for cybercriminals where they start to gain access to this information,” cautioned Duca. “But why does an e-commerce provider need that?”