Preface
I imagine a considerable contingent could consider that my many missives are reactive, redundant, ridiculous, irrelevant, and maybe even a little revolting. But I might reply that in this present posting, my purpose is profound; my reasoning reductive; my sources well researched; and overall, this particular piece is both alarming and astonishing in its absolute relevancy. More precisely put, I present a perfect piece of prose that paints a portrait of pure perfidy — with a decent amount of duplicity and dread added in. For, if now or ever, you had a reason to Temu, after reading this piece you might feel like you had stepped into a big pile of poo. So, allowing for a few awesome alliterations only offered to obfuscate any otherwise obvious or obtuse objections, I invite to you enhance your education and become a more enlightened entity with:
Riddle Me This: When Is Cheap Stuff Too Expensive?
When the Cheap
Stuff Comes from a Crooked Reseller from China:
The Terror of Temu,
Part 1
In the last Dispatch posted, June 22, 2024, there is a report on the obnoxious practice of brushing. The brushing scam is when unscrupulous online resellers ship products to consumers who had never ordered the products they had received. The brushing scam is intended to improve the reseller's sales numbers. Online reseller, Temu, headquarter in China, was singled out as a prime culprit. More than being an unethical annoyance, the Temu app itself has been found to be a form of malware.
September 6, 2023, security researcher, Grizzly Research, published its findings concerning the Temu shopping app. Below is a summary of the allegations Grizzly Research has made against Temu. The extensive research into Temu made by Grizzly has led the researchers to determine that: "Grizzly Research presents Smoking Gun evidence that PDD Holdings Inc.'s (NASDAQ:PDD) widely downloaded shopping app TEMU is the most dangerous malware / spyware package currently in widespread circulation."
The researchers at Grizzly Research "suspect that TEMU is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure." As evidence that data theft and reselling that purloined data is the true motivation for Pinduoduo efforts, Grizzly cites a study made by the website Wired, May 26, 2023.
An analysis of the company’s supply chain costs by WIRED—confirmed by a company insider—shows that Temu is losing an average of $30 per order as it throws money at trying to break into the American market.
Grizzly's findings are such that the researchers maintain that the "TEMU app software has the full array of characteristics of the most aggressive forms of malware / spyware." Among its findings are:
The app has hidden functions that allow for extensive data
exfiltration unbeknown to users, potentially giving bad actors full
access to almost all data on customers’ mobile devices.
It is evident that great efforts were taken to intentionally
hide the malicious intent and intrusiveness of the software.
Problems with another app from Temu's parent company, PDD Holdings, were widely reported in 2023. Reuters reported, March 21, 2023, that Google had pulled from its Play Store the predecessor app to the Temu app named Pinduoduo. In a CNN reported dated, April 3, 2023, said it all with its explosive title, "‘I’ve never seen anything like this:’ One of China’s most popular apps has the ability to spy on its users, say experts." CNN's report focused on problems with the app Pinduoduo, but also mentioned the other PDD app, Temu, was also likely to be problematic.
The issue with Pinduoduo was that the app exploited a zero day vulnerability in the Android smartphone operating system. The malware present in Pinduoduo allowed for an escalation of privileges attack. As defined by security vendor, Proofpoint, an escalation of privileges attack is:
Privilege escalation is when a threat actor gains elevated access and administrative rights to a system by exploiting security vulnerabilities. By modifying identity permissions to grant themselves increased rights and admin capabilities, attackers can conduct malicious activities, potentially resulting in significant damages.
According to the reporting by Ars Technica, March 27, 2023, the escalation of privileges attack instigated by the Pinduoduo app had "allowed the app to perform operations with elevated privileges. The app used these privileges to download code from a developer-designated site and run it within a privileged environment." Additional reporting by Ars Technica in the same article cited above noted that:
...the malicious Pinduoduo app includes functionality allowing for the app to be installed covertly with no ability to be uninstalled, falsely inflating the number of Pinduoduo daily active users and monthly active users, uninstalling competitor apps, stealing user privacy data, and evading various privacy compliance regulations.
As KrebsOnSecurity posted, March 22, 2023, Google had "suspended the app from the Chinese e-commerce giant Pinduoduo after malware was found in versions of the software." Brain Krebs quoted other investigators who had researched the pandemonium that was the Pinduoduo app, and who had also found:
Pinduoduo attacks users' mobile phones and directly raises the kernel privileges. Using Android's deserialization hole, and then adding a few other holes, directly escalate the kernel privileges, steal competitor software data, and then keep yourself alive to prevent yourself from being uninstalled.
I suppose we could ask, Et tu, Temu? The problems associated with online reseller app, Temu, which is a subsidiary of Pinduoduo, were not widely reported at the time. Although the Grizzly report on Temu was made in September of 2023, it is only recently that the IT press has picked up on the dangers posed by the Temu app. In its weekly summary of security related news, Security Week, June 28, 2024, one paragraph was offered on the trouble with Temu. June 27, 2024, Ars Technica, offered in-depth analysis of the troubles with Temu. Again, the Grizzly Research was the main source for the reporting. Temu is a security hole that is a mile wide; endangers its users; and it can't easily be patched.
Renewed interest in the perils of products associated with PDD Holdings has come about because of a lawsuit filed by the Attorney General of the State of Arkansas, June 25, 2024 against the Chinese owned entity. The complaint zeros in on the online shopping app, Temu. In his Press Release announcing the lawsuit, Arkansas AG, Tim Griffin, summarizes the case against Temu.
Temu is not an online marketplace like Amazon or Walmart. It is a data-theft business that sells goods online as a means to an end... It is purposefully designed to gain unrestricted access to a user’s phone operating system. It can override data privacy settings on users’ devices, and it monetizes this unauthorized collection of data.
source: https://arkansasag.gov/wp-content/uploads/2024-06-25-Temu-12CV-24-149-Complaint.pdf
The second paragraph of the Complaint [ed. pdf will open] filed against PDD Holdings for the nefarious behavior of its app, Temu, summarizes the charges AG Griffin makes. It is a long litany of abuses.
Specifically, Temu is purposefully designed to gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications. Temu is designed to make this expansive access undetected, even by sophisticated users. Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place. Even users without the Temu app are subject to Temu's gross overreach if any of their information is on the phone of a Temu user. Temu monetizes this unauthorized collection of data by selling it to third parties, profiting at the direct expense of Arkansans' privacy rights.
In paragraph 9 of the Complaint, Griffin refers to the Pinduoduo app having been suspended by both the Apple Store and the Google Play store. In paragraph 12, Griffin gets to the heart of the matter. The AG quotes the Grizzly Research report cited above and Kim Komando, April 15, 2023, to bolster his arguments.
Temu has "a complete arsenal of tools to exfiltrate virtually all the private data on a user's device and perform nearly any malign action upon command trigger from a remote server," [Grizzly] gaining access-without permission or even notice-to "literally everything on [a user's device]." [Komamdo]
In paragraph 13, AG Griffin continues with his citations of the Grizzly Research report, stating the case that:
The Temu app's code is purposely designed to evade front-end security review and to change its own code once it has been downloaded to a user's phone. This allows the Temu app to exploit the user's PII and other data or to otherwise control the user's device, in unknown and unknowable ways.[Grizzly] As experts note, "[i]t is evident that great efforts were taken to intentionally hide the malicious intent and intrusiveness of the software."[Ibid.]
In paragraphs 65 and 66, AG Griffin continues in the Complaint that Temu is basically a form of malware and again cites the Grizzly Report.
65. Forensic analysis of the Temu app's code reveals that the
scope of the data collected by Temu is virtually limitless, going well
beyond the scope of the data that is needed to run an online
shopping app.
66. In addition to Bluetooth and Wi-Fi access,
"Temu gains full access to all your contacts, calendars, and photo
albums, plus all your social media accounts, chats, and texts. In other
words, literally everything on your phone ... No shopping app needs this
much control, especially one tied to Communist China." As another
commentator observed on the Montana ban, the Temu app is "dangerous,"
due to the fact that it "bypasses" phone security systems to read a
user's private messages, make changes to the phone's settings, and track
notifications.
Furthermore, what maybe the most disturbing attribute of the Temu app that AG Griffin mentions in the Complaint is that the Temu app contains a hidden complier that creates another application other Temu itself. At paragraphs 74-76, the Complaint asserts that a stealth application is installed when Temu is itself installed.
74. A cryptically named function in the source code of the Temu
app calls for "package compile" using runtime.exec(). Per the report,
"[t]his means a new program is created by the app itself."
75.
The executable created by this function is not visible to security scans
before or during installation of the app, or even with elaborate
penetration testing.
76. Instead, this code enables the app to
change its behavior-and possibly its entire function-on the user's
phone, without anyone being able to know, much less prevent such a
change.
Griffin summarizes these functions thusly at paragraph 80.
This means that upon installation, the Temu app gains permission from the user's device to subsequently install any further program (or "package") that Temu wishes without the user's knowledge or control.
Many possible bad outcomes from these rogue installations that the Temu app performs are self-evident. At paragraphs 86 and 87, the Complaint alleges that the malware installed along with the Temu installation gives those who control Temu root access to the user's device.
86. The Temu app checks a user's device to see whether it has
"root" access, which is the highest level of access on a device. With
root access, the user and the Temu app can read, modify, and write not
only user files, but all files on the device, including the programming
of other apps and the device's operating system. Temu could
theoretically control or even disable any device where the user has root
access and Temu has file writing permissions without the user's
knowledge or consent.
87. Root access detection also serves
another purpose: obfuscating Temu's code. Security researchers require
root access to conduct thorough investigations and evaluations of an
app's security. One purpose of an app trying to determine whether a
device has root access is to determine whether the app is being used in
a "testing" environment and therefore needs to hide its nefarious
behaviors.
At paragraph 97, Griffin notes the Temu app also grants itself access to the user's camera and microphone.
Two permissions that Temu sneaks into its app without disclosing them in the manifest file are requests for CAMERA and RECORD_AUDIO. These permissions grant the app access to all the audio and visual recording and storage functions of a user's device.
Quoting the Grizzly Report cited above, at paragraph 103, AG Griffin sums up his charges and succinctly explains why Temu is a particularly dangerous application.
Temu is particularly malicious because much of the data collection occurs as soon as the app is downloaded. Temu contains "a complete arsenal of tools to exfiltrate virtually all the private data on a user's device and perform nearly any malign action upon command trigger from a remote server."
Griffin also makes reference to the fact that users who have never installed the Temu app may well become victims of its dangerous payloads via unrelated forms of electronic communication with those who are Temu users. At paragraph 107, AG Griffin explains how the interconnectivity of all Internet users may impact all other Internet users when it comes to Temu.
Individuals who are not Temu users and have never signed up for the platform may also be adversely impacted. Unbeknownst to them, non-users who engage in electronic communications with Temu users, such as through email or text messages, may have their private communications subject to harvesting by Defendants who have broad access to Temu users' devices. In addition, individuals who never signed up for Temu but who have stored information on a Temu user's device may also have their data subject to unauthorized harvesting by Defendants.
Further on, AG Griffin enumerates the many ways Temu engages in deceptive sales and marketing practices. These deceptive practices are also directed towards children under the age of 13.
The Complaint states 6 distinct Causes of Action.
COUNT 1: Arkansas Deceptive Trade Practices Act, Ark. Code Ann.
§ 4-88-107, et seq. (Privacy Harms)
COUNT 2:
Arkansas Deceptive Trade Practices Act, Ark. Code Ann. § 4-88-108, et
seq. (Privacy Harms)
COUNT 3: Arkansas Deceptive Trade Practices Act,
Ark. Code Ann. § 4-88-107, et seq. (Commercial Harms)
COUNT 4:
Arkansas Deceptive Trade Practices Act, Ark. Code Ann. § 4-88-108, et
seq. (Commercial Harms)
COUNT 5: Arkansas Personal Information
Protection Act, Ark. Code Ann. § 4-110-101, et seq.
COUNT 6: Unjust
Enrichment
In terms of remedies, AG Griffin prays for monetary relief, but — other than to stop ripping off the citizens of Arkansas — no request for any real injunctive relief that might bar Temu from continuing to operate within the borders of the State of Arkansas is made. Thus, acknowledging that the State or Arkansas alone cannot stop the distribution of the Temu app. To that point, the Temu app is still available on both the Apple App Store and the Google Play Store.
To quote the late great Mr. Pete Seeger, "When will they ever learn?"
 |
 |
Postscript: Temu vs Tik-Tok
Full disclosure here: I have not, and most likely never will, Tik nor Tok, nor certainly would I ever Temu.
It may seem that any critique of Temu, and indeed the legal case filed against Temu, are not unlike the many efforts, both inside and outside of governments, to ban the social media app, Tik-Tok. That would, however, be an incorrect understanding of the two situations. Yes, both parent companies originate in China. That is where the similarities begin and end, though. Tik-Tok only asks for a limited amount of information from its users to use the app as it is intended. Furthermore, as far as I know, there has been no critical analysis of Tik-Tok based on the specifics of the app's technology other than its data collection techniques. Third party apps that masquerade as Tik-Tok, but are not really Tik-Tok, have been reported. Vulnerabilities in Tik-Tok's code have been exploited to spread malware, but that is also true about many otherwise legitimate applications.
The case against Temu, on the other hand, is entirely rooted in a detailed technical analysis of the Temu app's technology and what the app actually does. Moreover, one does not need to enter any financial information to use Tik-Tok. Users can and do shop on Tik-Tok, but only at online stores hosted on the Tik-Tok platform. Tik-Tok itself is not, and does not purport to be, a reseller. Temu, on the other hand, presents itself only as a shopping app, although in-depth investigations refute that claim. All the evidence shows that Temu is a clear and present danger not only to all those who use the app for any purpose, but also poses a risk to users who are not themselves Temu users. These are the clear differences between the two Chinese apps.
But know this, that if the master of the
house had known
in what part of the night the thief was
coming,
he
would have stayed awake and
would not have let his house be broken into.
— Matthew
24:42-44
Gerald Reiff
| Back to Top | ← previous post | next post → |
| If you find this article of value, please help keep the blog going by making a contribution at GoFundMe or Paypal | ||