The US has accused discount shopping site Temu of potential data risks after its Chinese sister app was removed from Google’s app store for “malware,” analysts said. He said he wasn’t too worried.
Temu is “less aggressive” compared to Pinduoduo, which was shut down by Google in March after the version offered outside of Google’s Play store was found to contain malware, one analyst said. Stated.
Pinduoduo malware has been found to exploit a specific vulnerability in Android smartphones. Allow app bypass User security permissions, access to private messages, change settings, view data from other apps, prevent uninstallation.
Google called it an “identified malicious app” and urged users to uninstall the Pinduoduo app, but the Chinese online retailer denied such claims.
According to an analysis by Kevin Reed, chief information security officer at cybersecurity firm Acronis, Pinduoduo requested 83 permissions, including access to information about biometrics, Bluetooth and Wi-Fi networks.
“Some of the permissions that Pinduoduo is seeking seem unexpected for an e-commerce app,” said Reid, who shared an analysis of both apps with CNBC.
“But Temu is not as aggressive as Pinduoduo, who demands all sorts of privileges,” Reed said.
Pinduoduo is a China-based e-commerce app that sells everything from groceries to clothing.It is the flagship product of a Nasdaq-listed Chinese company. PDD Holdings I also own a Temu. Temu’s headquarters are in Boston.
Pinduoduo collects user information more aggressively and apparently sends it back to the company.
Kevin Reed
Acronis Chief Information Security Officer
“You shouldn’t need to store biometric data on e-commerce websites or apps. Personally, I don’t want my biometric data stored anywhere but on my device,” said the vice president Sean Ducah, vice president and regional director, said. Head of security for Asia Pacific and Japan at cybersecurity company Palo Alto Networks.
“Biometrics are more valuable than anything else because, unlike passwords, fingerprints cannot be changed at all,” says Duca.
He also questioned why access to Wi-Fi information is needed. If it’s the corporate Wi-Fi that users are connecting to, “it becomes a very lucrative target for cybercriminals to actually gain access to this information,” he warns Duca. “But why would an e-commerce provider actually need it?”
what does tem do?
Temu, the copycat of fast fashion brand Shein, is taking the US market by storm.
Just 17 days after its release in September, the app surpassed Instagram, WhatsApp, Snapchat and Shein on the US Apple App Store, according to Apptopia data shared with CNBC. It was launched in the UK in March, just weeks after entering Australia and New Zealand.
The fact that Pinduoduo “seeks to be the same kind of application and yet asks for even more permissions than the Temu app seems too annoying to me,” Reid said. .
“Binduoduo is much more proactive in collecting user information,” Reed said, adding that the data “clearly [transferred] go back to the company ”
PDD Holdings did not respond to CNBC’s request for comment regarding these approvals.
In contrast, the Temu app requests 24 permissions, Read said. Some of these permissions include access to Bluetooth and information about his Wi-Fi network.
I’m not as worried about shopping apps as I am about social media platforms like TikTok or Lemon8.
Lindsey Gorman
Senior Research Fellow, Emerging Technologies Division, German Marshall Fund
“There are no reports of malicious functionality present in the official Play, App Store, or third-party versions of Temu. The key used to sign the Pinduoduo malware is the same key used to sign the Temu app. Not,” said Daniel Thanos. He is Vice President and Director of Arctic Wolf Labs, the threat intelligence arm of cybersecurity firm Arctic Wolf.
“According to our analysis, this malware appears to be primarily targeting Chinese users. Devices typically sold and used in China such as Xiaomi, Vivo, Oppo, Samsung, and their corresponding applications It seems to be targeting, ‘said Thanos. PDD Holdings did not immediately respond to CNBC’s request for comment.
data risk
and Report on China’s “Fast Fashion” Platform In an article published in April, the U.S.-China Economic and Security Review Commission accused Tem and Shein of posing potential data risks.
Shein and Tem “rely primarily on U.S. consumers downloading and using Chinese apps to curate and offer products,” the report said.
“The commercial success of these companies has prompted both China’s existing e-commerce platforms and start-ups to imitate its model, putting US regulations, laws and market access principles at risk,” the report said. It poses challenges,” he said.
Chinese-owned apps are under intense scrutiny in the United States due to security concerns. US lawmakers have warned that Chinese-owned apps could be vulnerable to data privacy breaches and interference from the Chinese government.
Politicians often accuse Chinese companies of passing data to the Chinese government, but there is no evidence to support such claims.
“But there’s also a bigger problem here, which is that many other apps that aren’t talked about are also collecting information, and have been doing so for a very long time,” Duka said, adding that Rather, he pointed out that it was a systemic problem.
As one analyst said: Compared to social media platforms such as TikTok and its sister app Lemon8, I worry less about shopping apps.
“From a national security perspective, social media platforms, in addition to using all of this data to create user profiles, ultimately rely on opaque metrics that don’t really provide insight. It also has the ability to select, promote, and demote content through a platform,” said Lindsey Gorman, Senior Fellow, Emerging Technologies, German Marshall Fund.
Gorman said the “real content power” for shopping apps might be Chinese companies promoting their products that “feel less of a threat to democracy.” Instead, social media apps could promote content on political topics that are much harder to track, she said.
TikTok faces a possible ban in the US after CEO Shou Zi Chew testified to Congress. The testimony failed to allay lawmakers’ concerns about the app’s ties to China and the validity of Project Texas, a plan to store US data on the mainland.
“ByteDance is not owned or controlled by the Chinese government. It is a private company,” Chu said at the hearing.
In his first public interview after congressional hearingsChu said at the TED2023 conference last week. [Chinese government interference in U.S. elections] don’t let that happen. ”
He said the company is “very well on track” with Project Texas and is “very confident” that the risk is as close to zero as possible.
Glenn Gerstel, senior adviser to the Center for Strategic and International Studies, another analyst, said the apps were “ultimately controlled by political parties in China, and the US political system should focus its attention there.” will be,” he said. Due to geopolitical tensions with China, Chinese apps will continue to come under scrutiny.
“If we were more sophisticated, we might be able to differentiate one app from another to create a safer, more restricted and controlled space. But for now, that system is in place. No,” Gerstel said. .