Temu accused of data risks after sister app was suspended for malware

The U.S. has accused discount buying tract Temu of imaginable information risks aft its Chinese sister app was pulled from Google's app store implicit "malware" — but analysts accidental they're not that worried.

Compared to Pinduoduo, which was suspended by Google successful March aft versions offered extracurricular Google's Play store were recovered to incorporate malware, Temu is "not arsenic aggressive," 1 expert said.

The malware successful Pinduoduo was recovered to leverage circumstantial vulnerabilities for Android phones, allowing the app to bypass idiosyncratic information permissions, entree backstage messages, modify settings, presumption information from different apps and forestall uninstallation.

Google called it an "identified malicious app" and urged users to uninstall the Pinduoduo app, but the Chinese online retailer denied those claims.

According to investigation by Kevin Reed, main accusation information serviceman astatine cybersecurity steadfast Acronis, Pinduoduo requests for arsenic galore arsenic 83 permissions — including entree to biometrics, Bluetooth and accusation astir Wi-Fi networks.

"Some of these permissions Pinduoduo is asking seems to beryllium unexpected for an e-commerce app," said Reed, who shared his investigation of some apps with CNBC.

"But Temu is not arsenic assertive arsenic Pinduoduo that is requesting each kinds of privileges," said Reed.

Pinduoduo is simply a China-based e-commerce app that sells everything from groceries to clothing. It is the flagship merchandise of Nasdaq-listed Chinese institution PDD Holdings which besides owns Temu. Temu's office are located successful Boston.

"There should beryllium nary request for biometric information to beryllium stored connected an e-commerce website oregon app. I personally wouldn't privation my biometric information to beryllium stored anyplace other different than my device," said Sean Duca, vice president and determination main information serviceman for Asia Pacific and Japan at cybersecurity steadfast Palo Alto Networks.

"Biometrics person a batch greater worth than thing else, due to the fact that I can't simply alteration my fingerprint astatine all, dissimilar passwords," said Duca.

He besides questioned wherefore entree to Wi-Fi accusation was necessary. If it is firm Wi-Fi that the idiosyncratic is connected to, it volition "become a precise lucrative people for cyber criminals wherever they commencement to really summation entree to this information," cautioned Duca. "But wherefore does an e-commerce supplier really request that?"

Temu, dubbed a copycat of fast-fashion statement Shein, is taking the U.S. marketplace by storm.

Just 17 days aft its motorboat successful September, the app surpassed Instagram, WhatsApp, Snapchat and Shein connected the Apple App Store successful the U.S., according to Apptopia information shared with CNBC. It launched successful the U.K. successful March, conscionable weeks aft entering Australia and New Zealand.

The information that Pinduoduo "has requested adjacent much permissions than Temu app adjacent though they look to beryllium a akin benignant of applications seems over-intrusive to me," said Reed.

"Pinduoduo is overmuch much assertive successful collecting users' information," said Reed who claimed the information was "obviously [transferred] backmost to the company."

PDD Holdings did not respond to CNBC's petition for remark regarding those permissions.

In comparison, the Temu app requests for 24 permissions, said Reed. Some of these permissions see entree to Bluetooth and accusation astir Wi-Fi networks.

"There person been nary reports of the malicious functionality contiguous successful official Play, App Store oregon third-party versions of Temu. The keys utilized to motion the Pinduoduo malware are not the aforesaid keys utilized to motion the Temu app," said Daniel Thanos, vice president and caput of Arctic Wolf Labs, the menace quality limb of cybersecurity steadfast Arctic Wolf.

"Based connected our analysis, it appears that this malware is targeting Chinese users primarily, arsenic it appears to people devices usually sold and utilized successful China specified arsenic Xiaomi, Vivo, Oppo, Samsung, etc, and their corresponding applications," said Thanos. PDD Holdings did not instantly respond to CNBC's petition for comment.

In a study connected Chinese "fast fashion" platforms published successful April, the U.S.-China Economic and Security Review Commission accused Temu and Shein of posing imaginable information risks.

Shein and Temu "primarily trust connected U.S. consumers downloading and utilizing Chinese apps to curate and present products," said the report.

"These firms' commercialized occurrence has encouraged some established Chinese e-commerce platforms and startups to transcript its model, posing risks and challenges to U.S. regulations, laws, and principles of marketplace access," it said.

Chinese-owned apps look aggravated scrutiny successful the U.S. implicit information concerns. U.S. lawmakers person cautioned that any Chinese-owned apps could beryllium susceptible to information privateness breaches oregon interference from the Chinese government.

While politicians often impeach Chinese companies of handing information implicit to the Chinese government, determination is nary grounds to enactment specified claims.

"But there's besides a larger play here, which is galore different apps that are not talked astir are besides collecting accusation and person been doing truthful for specified a precise agelong time," said Duca, noting it is much of a systemic problem.

One expert said she was less disquieted astir buying apps than societal media platforms specified arsenic TikTok and its sister app Lemon8.

"From a nationalist information standpoint, successful summation to creating idiosyncratic profiles with each these data, societal media platforms besides person the quality to select, beforehand and demote contented based connected opaque metrics that ultimately, we don't truly person an penetration into," said Lindsay Gorman, elder chap for emerging tech astatine the German Marshall Fund.

For buying apps, the "real benignant of contented influence" whitethorn beryllium Chinese companies promoting their products which "feels little of a menace to democracy," said Gorman. Instead, societal media apps could beforehand contented astir governmental topics which are overmuch harder to track, she said.

TikTok faces a imaginable prohibition successful the U.S. aft its CEO Shou Zi Chew's grounds earlier Congress, which failed to quell lawmakers' concerns astir the app's ties to China oregon the adequacy of Project Texas, its program to store U.S. information connected American soil.

"ByteDance is not owned oregon controlled by the Chinese government. It's a backstage company," Chew said during the hearing.

In his archetypal nationalist interrogation since the legislature hearing, Chew said astatine the TED2023 league past week: "We are gathering each the tools to forestall immoderate of [Chinese authorities interference successful U.S. elections] from happening."

He said helium was "very confident" the hazard tin beryllium reduced to arsenic adjacent arsenic zero with the institution being "very, precise acold along" with Project Texas.

Another analyst, Glenn Gerstell, elder advisor astatine Center for Strategic and International Studies, said these apps are "ultimately controlled by Chinese parties and that's what the American governmental strategy is going to beryllium focused on." Geopolitical tensions with China will proceed to enactment Chinese apps nether scrutiny.

"It whitethorn beryllium that if we got much sophisticated, we'd beryllium capable to separate 1 app from different and make a safer, much constricted and controlled space. But close now, we don't person that strategy successful place," said Gerstell.