200 points

“Temu is designed to make this expansive access undetected, even by sophisticated users,” Griffin’s complaint said. “Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”

That’s just nuts

permalink
report
reply
107 points
*

Yeah, it is. It’s such an extraordinary claim.

One requiring extraordinary evidence that wasn’t provided.

“It’s doing amazing hacks to access everything and it’s so good at it it’s undetectable!” Right, how convenient.

permalink
report
parent
reply
98 points
*

Libmanwe-lib.so is a library file in machine language (compiled). A Google search reveals that it is exclusively mentioned in the context of PDD software—all five search results refer to PDD’s apps. According to this discussion on GitHub, “the malicious code of PDD is protected by two sets of VMPs (manwe, nvwa)”. Libmanwe is the library to use manwe.

An anonymous user uploaded a decompiled version of libmanwe-lib to GitHub. It reads like it is a list of methods to encrypt, decrypt or shift integer signals, which fits the above description as a VMP for the sake of hiding a program’s purpose.

In plain words, TEMU’s app employed a PDD proprietary measure to hide malicious code in an opaque bubble within the application’s executables

permalink
report
parent
reply
6 points

So wait, bit-shifting some integers is now considered being malicious? Is that really the defense here? Using that definition just about all software in existence is malicious.

permalink
report
parent
reply
3 points
Deleted by creator
permalink
report
parent
reply
13 points

I don’t believe his claims without evidence, but having a legit cover for nefarious acts is pretty standard, no?

permalink
report
parent
reply
8 points

Why steal their money when they can both get them to give their money as well data to also sell?

permalink
report
parent
reply
53 points
*

This is why companies like Apple are at least a tiny bit correct when they go on about app security and limiting code execution. The fact it aligns with their creed of controlling all of the technology they sell makes the whole debate a mess, though. And it does not excuse shitty behavior on their part.

But damn

And if they got this past Apple in their platforms. That’s even wilder.

permalink
report
parent
reply
23 points

The article linked to the analysis and on a quick glance, it seems to be done entirely against the Android variant of the app. This makes sense because if the alleged actions are true, they’d never have gotten on to the App Store for iOS Apple users… or at least as of a couple months ago. Who knows what kind of vulnerability is exposed by Apple only doing limited cursory checks for 3rd party App Stores.

permalink
report
parent
reply
7 points

Shits getting scarier by the day.

permalink
report
parent
reply
2 points
Deleted by creator
permalink
report
parent
reply
18 points
  1. Dynamic compilation using runtime.exec(). A cryptically named function in the source code calls for “package compile”, using runtime.exec(). This means a new program is created by the app itself.—Compiling is the process of creating a computer executable from a human-readable code. The executable created by this function is not visible to security scans before or during installation of the app, or even with elaborate penetration testing. Therefore, TEMU’s app could have passed all the tests for approval into Google’s Play Store, despite having an open door built in for an unbounded use of exploitative methods. The local compilation even allows the software to make use of other data on the device that itself could have been created dynamically and with information from TEMU’s servers.
permalink
report
parent
reply
12 points

Ah yes, delete your original incorrect comment instead of continuing the discussion about how wrong and lazy it was to make, nice.

permalink
report
parent
reply
119 points

I’m sure Temu collects all information you put into the app and your behaviour in it, but this guy is making some very bold claims about things that just aren’t possible unless Temu is packing some serious 0-days.

For example he says the app is collecting your fingerprint data. How would that even happen? Apps don’t have access to fingerprint data, because the operating system just reports to the app “a valid fingerprint was scanned” or “an unknown fingerprint was scanned”, and the actual fingerprint never goes anywhere. Is Temu doing an undetected root/jailbreak, then installing custom drivers for the fingerprint sensor to change how it works?

And this is just one claim. It’s just full of bullshit. To do everything listed there it would have to do multiple major exploits that are on state-actor level and wouldn’t be wasted on such trivial purpose. Because now that’s it’s “revealed”, Google and Apple would patch them immediately.

But there is nothing to patch, because most of the claims here are just bullshit, with no technical proof whatsoever.

permalink
report
reply
67 points
73 points
*

Here’s the actual relevant part

These are security risks to be sure, and while these permissions are (mostly) on the surface, possibly defensible, together they do clearly represent an app trying to gather all of the data that it can.

However, a lot of info from this report is overblown. For example code compilation is sketchy to be sure, but without a privilege escalation attack, it can’t do anything the app couldn’t do with an update.

Also, there’s some weird language in the report, like counting the green security issues in other apps (like tiktok) as if they were also a problem, despite the image showing that green here means it doesn’t present that particular risk.

All of this to say, if you have temu, probably uninstall it. It’s clearly collecting all the data it can get.

But it’s unlikely to be the immediate threat that will have China taking over your phone like this report implies.

permalink
report
parent
reply

This infographic is really helpful. Stuff like this makes me relieved I use the majority of services in a browser, rather than native apps

permalink
report
parent
reply
3 points

Thanks, that brings done useful context here

permalink
report
parent
reply
18 points

That… is not a study by anyone who knows what they are talking about. It also does not mention fingerprints at all.

They seem to believe that the app can use permissions undeclared in the manifest file because they obviously think it’s only for the store to show the permissions to the user. Android will not actually allow an app to use undeclared permissions. The most rational explanation is the codebase is shared with different version of the app (possibly not released) that had different manifests.

It also makes a big deal of checking if running as root. That is not evidence of having an escalation exploit. If they have an ability to get root before running the app why would they need to use the app to exploit it? They could just do whatever they wanted and avoid leaving traces in the app. Though I doubt they would root phones to just brick them. It’s the kind of mischief you would expect from a kid writing viruses, not an intelligence agency or criminal enterprise.

Users who root their own phones are very unlikely to run temu as root. In fact a lot of apps related to shopping or banking try to detect root to refuse to work as your system is unsafely. In any case it’s a very niche group to target.

To keep things short, that ‘study’ does not really look credible or written by actual experts.

permalink
report
parent
reply
28 points
31 points
*

The analysis shows it’s spyware, which I don’t question. But it’s spyware in the bounds of Android security, doesn’t hack anything, doesn’t have access to anything it shouldn’t, and uses normal Android permissions that you have to grant for it to have access to the data.

For example the article mentions it’s making screenshots, but doesn’t mention that it’s only screenshots of itself. It can never see your other apps or access any of your data outside of it that you didn’t give it permission to access.

Don’t get me wrong, it’s very bad and seems to siphon off any data it can get it’s hands on. But it doesn’t bypass any security, and many claims in the article are sensational and don’t appear in the Grizzly report.

permalink
report
parent
reply
5 points

I agree on the sensationalism in the article.

permalink
report
parent
reply
3 points

That is not entirely correct. The reported found the app using permissions that are not covered by the manifest. It also found the app being capable to execute arbitrary code send by temu. So it cannot be clearly answered if the app can utilize these permissions or not. Obviously they would not ship such an exploit with the app directly.

permalink
report
parent
reply
1 point

Do you know if there people who have gone this far analysing the TikTok and WeChat apps?

permalink
report
parent
reply
16 points

Yeah, I don’t like Temu, and I’m sure the app is a privacy nightmare, but these claims don’t seem right. If it’s true, I’m like to see someone else verify it.

permalink
report
parent
reply
5 points

Haven’t read the article because I’m not interested in an app I don’t use, but does it mean browser fingerprint? Because that’s slang for the fonts/cookies/user-data of your browser, and lots of apps have access to that.

permalink
report
parent
reply
0 points

Wouldn’t the phone have to have your fingerprint stored in order to compare it to the one scanned?

permalink
report
parent
reply
6 points
*

Yes, the phone does, but that data is protected in the hardware and never sent to the software, the hardware basically just sends ok / not ok. It’s not impossible to hack in theory, nothing is, but it would be a very major security exploit in itself that would deserve a bunch of articles on it’s own. And would likely be device specific vulnerability, not something an app just does wherever installed.

permalink
report
parent
reply
1 point

Pretty sure this is not true. That’s how apple’s fingerprint scanners work. On android the fingerprint data is stored either in the tpm or a part of the storage encrypted by it.

permalink
report
parent
reply
77 points

Temu is absolute cancer in terms of business practices so no surprise here at all.

permalink
report
reply
46 points

Cancer in terms of, well, everything.

permalink
report
parent
reply
10 points

But it’s cheap.

permalink
report
parent
reply
11 points

If I wanted garbage I could get it for free from the roadside

permalink
report
parent
reply
3 points

Why is Temu so popular then?

permalink
report
parent
reply
11 points

Cheap cancer

permalink
report
parent
reply
66 points

I can’t believe anyone would buy from Temu. I knew they were Chinese knockoff bullshit the second I saw their first obnoxious ad.

permalink
report
reply
18 points

Plenty of items on eBay are just people who buy from China directly and mark up prices. If it is likely made in China and I don’t want it quickly, I’ll buy off aliexpress. That said, alibaba wanted me to upload photo ID which I noped out of. Temu started spamming my email address when I’d never used them. The unsubscribe link went to their website said to adjust your account settings if you didn’t want spam… I never created and account and avoided them completely following that.

permalink
report
parent
reply
8 points

Shit, most of Amazon is that as well.

permalink
report
parent
reply
2 points
*

Amazon is usually OK if you buy things that are sold by Amazon or sold by the manufacturer (if it’s a well-known brand). The third-party sellers on Amazon based in China are almost always reselling stuff from Aliexpress/Alibaba with a significant markup.

permalink
report
parent
reply
1 point

Seems like >70% of seller have the imprint in china or hong kong

permalink
report
parent
reply
3 points

I don’t buy anything from eBay that I can get elsewhere. I didn’t even use those other sites. Sure, everything is made in China, but I’m good not trusting China without a more reputable middleman that’s subject to American laws regarding things like refunds and such.

permalink
report
parent
reply
15 points

Isn’t that the site that’s AliExpress but worse?

permalink
report
parent
reply
3 points

Apparently for some people (my mom) the search or filters work better on Temu. No idea why, I only ever use AliExpress.

permalink
report
parent
reply
3 points

Alis search is really bad.
Somehow the auto translation is active for the product names but if you search they don’t seem to apply.
For example:
Searching for Cherry MX switches brings up articles that are named “Mechanische Kirsch Schalter für Tastatur” (essentially the name but translated). Problem is: Cherry the company is like it’s in english as well, also the fruit amd thus will not be translated correctly.
Trying to search more niche stuff quickly gets annoying when trying to find something specific.

permalink
report
parent
reply
8 points

somethings people don’t care about quality. An example, the one time I checked out Temu way back when it first made its splash I bought some targets for shooting… Hard to fuck that up and got em cheap as fuck with that promo deal they do to hook you. Uninstalled it right after, probably not worth it but I feel like that is a common experience. There are items where you just simply can’t fuck up so the ultra cheapness works out.

With that said, an obligatory FUCK temu and those like it.

permalink
report
parent
reply
10 points

Aliexpress seems most straightforward, and not quite as gimmicky.

permalink
report
parent
reply
3 points

Have you seen the wheel spin and Fomo coupons?
Maybe not as much but still highly gimmicky in comparison to normal e-commerce sites

permalink
report
parent
reply
3 points

My only reasons to buy on Ali is when I need something simple like velcro that can be cut to length or other small scale stuff electronics (e.g. Rasperry Pi 0) and it doesnt have to be fast.
Ironically the shipping is either free or so cheap it’s better than domestic amazon.
I often suspect they sell the same item but order it with DHL shipping (our domestic shipper) with high priority shipping included in the price (2€ item + 8€ shipping = 10€ on Amazon + “free” shipping)

permalink
report
parent
reply
7 points
*

A huge amount of products are just generic Chinese products that have a brand slapped on it. If you’ve ever bought a random small USB device (i.e USB hubs, etc) from a major brand like LogiTech and others, if you crack it open it is just the same device as cheap resellers with a branded coating. It’s not worth it to many companies to bother manufacturing their own small tat so they just sub-contract out.

And sure, it likely works, but it’s the exact same hardware with the same capabilities as a product a 10th of the price.

permalink
report
parent
reply
5 points

The cheap Chinese stuff often uses knock-off ICs tho.
They can be fairly difficult to detect, and will work for a short time or under very light loads. But they will be nowhere near the spec of the data sheets.
They might massively overheat, not provide the correct currents or voltages, run at lower speeds. All sorts of corners being cut to turn a $2 IC into a 50¢ IC. Or a 50¢ ic into a 5¢ one

So yeh, might be the same PCB layout inside, it might visually look the same (or very very close) but the parts are likely to be counterfeit.

Of course, it’s also probable that name brands might be hit with counterfeit parts inside as well. Hopefully their QA picks that up

permalink
report
parent
reply
4 points

I’ve found this when trying to get a decent USB>9-pin Serial connector.

You think it’s your software, or something weird going wrong. Then you swap over a name-brand adapter, and the thing just works.

permalink
report
parent
reply
1 point

Maybe not Logitech as a whole but small scale or low-end stuff

permalink
report
parent
reply
1 point

Yeah, the small tat items and accessories, as I said.

permalink
report
parent
reply
5 points

That’s all online shopping

permalink
report
parent
reply
-2 points

I can’t believe people pay full price on cheap stuff. The only reasonable thing to do is pay cheap on cheap stuff. And the delivery times are unbeatable .

permalink
report
parent
reply
6 points

I can’t believe people buy cheap trash that would be sold on Temu.

But here we are, people buy cheap ass trash off Temu. If China started picking through the trash we shipped them and sold it back to us on a site like Temu, something tells me people would still buy it.

permalink
report
parent
reply
5 points

People would buy an actual turd on temu if it’s cheap enough. Just read these comments here… But it’s cheap. Congrats, you bought cheap garbage and it got send around the globe by a company that sells your data

permalink
report
parent
reply
-15 points

With how cheap they are, people will and should buy from TEMU. Aliexpress as a general store never had much of a competition for English speakers outside of Banggood for select electronics. Taoboa is good but it’s harder to use

permalink
report
parent
reply
16 points

So for you, the lowest price is the only thing that matters? It doesn’t matter whether it’s a shitty product? Or that they’re one of the least efficient shippers due to their tariff avoidance strategy, and in doing so are contributing more per purchase to climate change than even companies like Amazon and Walmart?

permalink
report
parent
reply
2 points

Dunno how it’s with Ali but doesnt Temu also use forced labor?

permalink
report
parent
reply
-6 points
*

I’m happy because it’s competition for Aliexpress.

Arguments against carbon emissions and carbon footprints against corporations isn’t very helpful unless you can do something about it. This is somehow a very unpopular opinion here, for some reason people don’t like being told that they don’t have much power. Boycotting it by yourself won’t work either, because even if the west gives up on it, the East will not. Carbon emissions will remain unless strict regulations are maintained, and we know who buys politicians these days. If I can do nothing about the climate, then yes I’d rather pay less. And I’m not explicitly anti-China like some people here because America is just as hypocritical.

Yes there are really bad products and their QC is horrible. I’ll say the same for Aliexpress, Taobao, Amazon, Walmart and Bestbuy. Unfortunately for everyone here, we’re going to have to choose between shit options, so yes I’d rather pay less if it’s shit I’m going to get anyway. Besides, I’m smart enough to not make bigger purchases on these sites because I know of their QC situation.

permalink
report
parent
reply
65 points

How about pass and enforce strong digital privacy protection laws you fucking cowards. When other countries spy on us it’s scary and bad, but for US companies? Best we can do is ban porn and demand backdoors to stop E2EE messaging.

permalink
report
reply
5 points
*

California (and a few other states) are trying. The CCPA and CPRA are a good step in the right direction. If you’re a California resident, you can request all the data a business has collected about you, tell them to stop sharing it with business partners, or tell them to completely delete it, similar to the GDPR in Europe.

permalink
report
parent
reply
4 points

Oh don’t worry, they’re going to try and kill that too before it hurts them too much, and with the audacity of calling it the “American Privacy Rights Act”. https://www.eff.org/deeplinks/2024/06/eff-opposes-american-privacy-rights-act

permalink
report
parent
reply
3 points

Ugh. I hate this so much.

permalink
report
parent
reply
3 points

I’m pretty sure Temu is Chinese.

permalink
report
parent
reply
2 points

That would hurt the advertising, spam, blackmail, malware, and propaganda industries. We can’t rip out the economic spine of big tech since they pay the best bribes.

permalink
report
parent
reply
2 points

Unfortunately they care more about spying on us themselves.

permalink
report
parent
reply

Technology

!technology@lemmy.world

Create post

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


Community stats

  • 15K

    Monthly active users

  • 13K

    Posts

  • 567K

    Comments