Skip to content

Temu under scrutiny for malware distribution and privacy violation

  • by
  • 3 min read

Photo: Koshiro K /

Temu, and its parent company, Pinduoduo Inc. have been accused of allegedly engaging in suspicious activities related to malware distribution and user data privacy.

Last year, Google flagged the Pinduoduo app as a potential malware and removed it from Google Play Store. The malware exploited a privilege-escalation flaw and allowed threat actors to gain access to the victim’s device and pilfer information.

The zero days in the Pinduoduo app were exploited to gain elevated access privileges, enabling the app to harvest user data beyond the usual limits imposed by native Android APIs. Shockingly, Pinduoduo went a step further by utilising this access from users’ devices, raising serious ethical and legal concerns.

Despite vehement denials from PDD Holdings, independent researchers from Lookout conducted a comprehensive analysis of app samples, corroborating the initial claims.

However, users who downloaded the Pinduoduo app from legitimate app stores, such as Google Play, were not exposed to these vulnerabilities. However, given the prevalence of third-party app markets in China, where Google Play is blocked, a significant number of users may have been affected.

“We strongly reject the speculation and accusation by some anonymous researchers and non-conclusive response from Google that the Pinduoduo app is malicious,” said Temu.

Temu has long been accused of malpractices in business practices.

Temu is also facing a class-action lawsuit in Illinois alleging that it violates customer’s privacy by pilfering sensitive information. The plaintiffs’ attorneys complained that Temu requires more than 24 permissions including Bluetooth and WiFi, permissions that are usually not required for e-commerce platforms.

“We categorically deny the allegations and intend to vigorously defend ourselves against these meritless lawsuits,” responded Temu against the lawsuit.

Another class-action suit was also filed against Temu in New York on behalf of Eric Hu and others. In this lawsuit too, the plaintiffs accused Temu of collecting customers’ data and not storing it securely.

“Defendant grossly failed to comply with security standards and allowed its customers’ financial information to be compromised, all in an effort to save money by cutting corners on security measures that could have prevented or mitigated the Breach,” alleged the plaintiffs.

Better Business Bureau also warned Temu users that the app is taking personal information without users’ knowledge.

A report by the US-China Economic and Security Review Commission (USCC) also raised concerns about the malpractices of Temu and Shein, another Chinese e-commerce firm.

It will be interesting to see the results of this lawsuit and its implications on e-commerce industry as a whole.

In the News: Microsoft fortifies Exchange Server against zero-day exploits

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: