In simply 17 days after launch, Temu surpassed Instagram, WhatsApp, Snapchat and Shein on the Apple App Store within the U.S., in line with Apptopia data shared with CNBC.
Stefani Reynolds | Afp | Getty Images
The U.S. has accused low cost buying web site Temu of potential data risks after its Chinese sister app was pulled from Google’s app retailer over “malware” — however analysts say they don’t seem to be that anxious.
Compared to Pinduoduo, which was suspended by Google in March after variations provided exterior Google’s Play retailer had been discovered to comprise malware, Temu is “not as aggressive,” one analyst mentioned.
The malware in Pinduoduo was discovered to leverage particular vulnerabilities for Android telephones, allowing the app to bypass person safety permissions, entry personal messages, modify settings, view data from different apps and stop uninstallation.
Google referred to as it an “recognized malicious app” and urged customers to uninstall the Pinduoduo app, however the Chinese on-line retailer denied these claims.
According to evaluation by Kevin Reed, chief data safety officer at cybersecurity agency Acronis, Pinduoduo requests for as many as 83 permissions — together with entry to biometrics, Bluetooth and details about Wi-Fi networks.
“Some of these permissions Pinduoduo is asking appears to be sudden for an e-commerce app,” mentioned Reed, who shared his evaluation of each apps with CNBC.
“But Temu isn’t as aggressive as Pinduoduo that’s requesting all types of privileges,” mentioned Reed.
Pinduoduo is a China-based e-commerce app that sells the whole lot from groceries to clothes. It is the flagship product of Nasdaq-listed Chinese firm PDD Holdings which additionally owns Temu. Temu’s headquarters are situated in Boston.
Pinduoduo is rather more aggressive in gathering customers’ data and clearly switch it again to the corporate.
Kevin Reed
chief data safety officer, Acronis
“There ought to be no want for biometric data to be saved on an e-commerce web site or app. I personally would not need my biometric data to be saved anyplace else apart from my machine,” mentioned Sean Duca, vp and regional chief safety officer for Asia Pacific and Japan at cybersecurity agency Palo Alto Networks.
“Biometrics have so much better worth than anything, as a result of I am unable to merely change my fingerprint in any respect, not like passwords,” mentioned Duca.
He additionally questioned why entry to Wi-Fi data was needed. If it’s company Wi-Fi that the person is related to, it would “develop into a really profitable goal for cyber criminals the place they begin to really achieve entry to this data,” cautioned Duca. “But why does an e-commerce supplier really want that?”
What does Temu do?
Temu, dubbed a copycat of fast-fashion label Shein, is taking the U.S. market by storm.
Just 17 days after its launch in September, the app surpassed Instagram, WhatsApp, Snapchat and Shein on the Apple App Store within the U.S., in line with Apptopia data shared with CNBC. It launched within the U.Ok. in March, simply weeks after coming into Australia and New Zealand.
The undeniable fact that Pinduoduo “has requested much more permissions than Temu app though they appear to be an analogous variety of purposes appears over-intrusive to me,” mentioned Reed.
“Pinduoduo is rather more aggressive in gathering customers’ data,” mentioned Reed who claimed the data was “clearly [transferred] again to the corporate.”
PDD Holdings didn’t reply to CNBC’s request for remark relating to these permissions.
In comparability, the Temu app requests for 24 permissions, mentioned Reed. Some of these permissions embrace entry to Bluetooth and details about Wi-Fi networks.
I’m much less anxious in regards to the buying apps than social media platforms like TikTok and Lemon8.
Lindsay Gorman
Senior fellow for rising tech, German Marshall Fund
“There have been no experiences of the malicious performance current in official Play, App Store or third-party variations of Temu. The keys used to signal the Pinduoduo malware will not be the identical keys used to signal the Temu app,” mentioned Daniel Thanos, vp and head of Arctic Wolf Labs, the risk intelligence arm of cybersecurity agency Arctic Wolf.
“Based on our evaluation, it seems that this malware is concentrating on Chinese customers primarily, because it seems to focus on gadgets normally offered and utilized in China corresponding to Xiaomi, Vivo, Oppo, Samsung, and so on, and their corresponding purposes,” mentioned Thanos. PDD Holdings didn’t instantly reply to CNBC’s request for remark.
Data risks
In a report on Chinese “fast fashion” platforms revealed in April, the U.S.-China Economic and Security Review Commission accused Temu and Shein of posing potential data risks.
Shein and Temu “primarily depend on U.S. shoppers downloading and utilizing Chinese apps to curate and ship merchandise,” mentioned the report.
“These companies’ industrial success has inspired each established Chinese e-commerce platforms and startups to repeat its mannequin, posing risks and challenges to U.S. laws, legal guidelines, and rules of market entry,” it mentioned.
Chinese-owned apps face intense scrutiny within the U.S. over safety issues. U.S. lawmakers have cautioned that any Chinese-owned apps might be weak to data privateness breaches or interference from the Chinese government.
While politicians usually accuse Chinese corporations of handing data over to the Chinese authorities, there isn’t any proof to assist such claims.
“But there’s additionally a bigger play right here, which is many different apps that aren’t talked about are additionally gathering data and have been doing so for such a really very long time,” mentioned Duca, noting it’s extra of a systemic downside.
One analyst mentioned she was much less anxious about buying apps than social media platforms corresponding to TikTok and its sister app Lemon8.
“From a nationwide safety standpoint, along with creating person profiles with all these data, social media platforms even have the flexibility to pick out, promote and demote content material primarily based on opaque metrics that finally, we do not actually have an perception into,” mentioned Lindsay Gorman, senior fellow for rising tech on the German Marshall Fund.
For buying apps, the “actual type of content material affect” could also be Chinese corporations selling their merchandise which “feels much less of a risk to democracy,” mentioned Gorman. Instead, social media apps might promote content material about political subjects that are a lot more durable to trace, she mentioned.
TikTok faces a potential ban within the U.S. after its CEO Shou Zi Chew’s testimony before Congress, which did not quell lawmakers’ issues in regards to the app’s ties to China or the adequacy of Project Texas, its plan to retailer U.S. data on American soil.
“ByteDance isn’t owned or managed by the Chinese authorities. It’s a personal firm,” Chew mentioned throughout the listening to.
In his first public interview since the congressional hearing, Chew mentioned on the TED2023 convention final week: “We are constructing all of the instruments to stop any of [Chinese government interference in U.S. elections] from taking place.”
He mentioned he was “very assured” the chance will be diminished to as shut as zero with the corporate being “very, very far alongside” with Project Texas.
Another analyst, Glenn Gerstell, senior advisor at Center for Strategic and International Studies, mentioned these apps are “finally managed by Chinese events and that is what the American political system goes to be targeted on.” Geopolitical tensions with China will continue to put Chinese apps under scrutiny.
“It could also be that if we obtained extra refined, we would be able to distinguish one app from one other and create a safer, extra restricted and managed area. But proper now, we do not have that system in place,” mentioned Gerstell.