News

Is Temu Shopping App a Communist China-Based Scam That Spies on Users?

Temu offers seemingly too-good-to-be-true deals on a massive range of products, but the app and website have been accused of shady practices.

Published June 5, 2023

 (Jakub Porzycki/NurPhoto via Getty Images)
Image Via Jakub Porzycki/NurPhoto via Getty Images

Ads for what appear to be unrealistically cheap products sold by the app and website Temu have become ubiquitous online. Temu, launched in September 2022, made waves with a pricey Super Bowl ad buy in February 2023 that promoted the company slogan "shop like a billionaire." At the time of this reporting, the Temu app was the second most popular free app in Apple's App Store.

As described in an April 2023 report by the U.S.-China Economic and Security Review Commission (USCC), "Temu's success raises flags about its business practices." The fact that the prices offered are so low has led potential users to wonder if the deals are real or if they are part of a scam operation. The company's Chinese ownership and opaque corporate structure have also raised cybersecurity, privacy, and national security concerns.

Many of these concerns were articulated in an April 2023 USA Today column by cybersecurity writer Kim Komando, which has since been shared widely in the form of copypasta — repeatedly copy-and-pasted text shared without source on social media. That article makes several assertions about the app Temu, advising users to delete the app immediately. These assertions include:

Prices are low because the goods are cheap.

The pictures of what you see advertised may not be what you actually get.

Temu is a Communist China-based app and site.

As you shop, Temu monitors your activity on other apps, tracks your notifications and location and changes settings.

Temu gains full access to all your contacts, calendars and photo albums, plus all your social media accounts, chats and texts. In other words, literally everything on your phone.

The USA Today column and similar claims, while rooted in fact, are imprecise and, in some cases, incorrect. Here, Snopes explains the origin and veracity of each of these assertions.

Temu's parent company — PDD Holdings — did not immediately respond to a request for comment. Snopes will update this article if we receive a response.

Prices are low because the goods are cheap.

Komando's article suggests that the suspiciously low prices offered by Temu are the result of cheap production and manufacturing. Temu itself claims that its low prices are enabled by a "deep network of merchants, logistic partners," and the parent company's "established ecosystem built over the years."

Neither explanation, however, truly captures the business model of Temu's parent company — PDD Holdings. PDD Holdings, traded on the New York Stock Exchange, is the corporate entity behind Pinduoduo, China's second most popular eCommerce app. At the time of this reporting, PDD Holdings was worth about $92 billion.

Pinduoduo, founded by Chinese billionaire and former Google employee Colin Huang in 2015, was originally designed to directly connect farmers with buyers, thereby cutting out the costs associated with selling to distributors. As described in PDD Holding's 2022 Annual Report to the United States' Securities and Exchange Commission (SEC), its business model relies on having a massive number of buyers to offer to its manufacturing partners:

The ability to aggregate demand and generate large volumes of orders [on the Pinduoduo platform] helps create economies of scale for farmer merchants. Farmers can sell directly to consumers through the platform and become less dependent on wholesale distributors.

Pinduoduo's buyer base helps attract merchants to the platform, while the scale of the platform's sales volume encourages merchants to offer more competitive prices and customized products and services to buyers, thus forming a virtuous cycle.

In 2022, nearly 80% of PDD Holdings' revenue in 2022 came from selling advertising services to its network of merchants, not from selling products. Pinduoduo and Temu both harvest large amounts of Google and other user data to provide extremely targeted advertising services to their merchants. That information is also used to predict, among other things, market trends.

This model would collapse if not for the massive base of active users it is able to provide its merchants access to. As such, both Pinduoduo and Temu use aggressive advertising techniques and other incentives to attract customers and sometimes sell items at a loss.

A major part of this formula, for both Temu and Pinduoduo, is something PDD Holdings terms "team buying." A form of cheap or free advertising for its platforms, the feature, the 2022 SEC report stated, encourages buyers "to share product information on social networks, and invite their friends, family and social contacts to form shopping teams." As reported by Time, these incentives can sometime reduce the price of a product to nearly nothing:

While Temu's prices are cheap, many new customers actually aren't paying anything at all. That's because Temu has launched a campaign on social media in which the more you convince others to sign up, the more credit you earn. This has enabled some people who have earned enough credit to receive home goods without even giving Temu their credit card information.  

Some observers suspect that PDD Holdings is subsidizing the losses incurred by Temu's low prices with revenues from Pinduoduo as a strategy to gain market share. "It seems like they're being subsidized to be a loss leader in order to gain market share, which is not unlike what Amazon did for a long time," Douglas Schmidt, a professor of computer science at Vanderbilt University, told Time.

"There's absolutely no way Temu runs a profitable retail business," Juozas Kaziukenas, founder of e-commerce research company Marketplace Pulse, told the Los Angeles Times in May 2023. "They are effectively buying market share and hoping in the years to come that market share will stick."

The pictures of what you see advertised may not be what you actually get.

As described in the 2023 USCC report, "Temu's lack of affiliation with established brands has brought concerns of product quality as well as accusations of copyright infringement." PDD Holdings, that report stated, has been subject to myriad customer-service complaints relating to shipments from Temu that never arrived or shipments that do not contain the product advertised:

As of April 2023, Temu has received 235 complaints in the last year with the Better Business Bureau, earning a 2.1 out of 5 stars customer rating." The bulk of these claims regard the poor quality of the item received, the long shipping times and related problems, and misleading product ads.

PDD Holdings (then named Pinduoduo) was included in the U.S. Trade Representative's 2021 list of "Notorious Markets for Counterfeiting and Piracy." Per that report:

The large volumes of counterfeit goods that stubbornly remain on the platform evinces the need to improve the effectiveness of the tools or close the gaps in their implementation. This year, right holders conveyed that Pinduoduo appears to be moving in the wrong direction, with delays in takedowns, lack of transparency with takedown procedures, more burdensome and expensive processes, less effective seller vetting, and reduced cooperation with brands

The latter report concerns a time prior to PDD's launch of Temu.

Temu is a Communist China-based app and site.

Temu's parent company, PDD Holdings, is a Cayman Islands company with subsidiaries primarily registered in China and that are therefore subject to regulation by Chinese authorities. Despite a Chinese law banning citizens from investing in this kind of foreign technology company, PDD Holdings is publicly traded on the New York Stock Exchange.

Such a listing is possible through an arrangement known as a Variable Interest Entity (VIE) — a corporate structure that involves a complex network of shell companies and contractual agreements allowing Chinese citizens to bypass that law. Many major Chinese corporations traded in the United States do so through a VIE.

That the underlying companies behind PDD Holdings are owned by Chinese nationals does not make the company or their products an arm of the Chinese Communist Party. But U.S lawmakers have expressed concern about Chinese authorities' control over, and ability to regulate, data derived by companies under the umbrella of PDD Holdings.

As reported by the Los Angeles Times, two broad areas of concern exist, according to Sky Canaves, a senior analyst for retail and e-commerce at Insider Intelligence:

There are also two main concerns from a U.S. regulatory perspective: companies with ties to China having access to vast amounts of consumer data, and broader consumer privacy and data security issues, Canaves said.

The question is "whether that data could then be accessed by Chinese authorities or used somehow to harm U.S. interests," Canaves said.

There is no evidence that Temu's data are, or have been, shared with Chinese authorities, but PDD Holdings' Pindoudou platform has had a history, to say the least, of malfeasance when it comes to broader "consumer privacy and data security issues."

As you shop, Temu monitors your activity on other apps, tracks your notifications and location, and changes settings.

Temu collects a large amount of data, much like many other eCommerce apps. As stated in its privacy policy, Temu collects data from your sessions and search history and monitors your activity and time on pages. If you log in using social media, it collects information contained in your social media profile, as well.

This information, the policy states, may be combined with other sources of data provided to, or paid for, by Temu or PDD Holdings. The data are used, among other things, for research and development, and for selling advertising services to merchants.

The notion that Temu can change settings without your consent — something that would be achievable only through illicit means — is presently unsubstantiated, however. These and more serious claims concern PDD Holdings' Chinese service Pindoudou.

Temu gains full access to all your contacts, calendars and photo albums, plus all of your social media accounts, chats and texts. In other words, literally everything on your phone.

While Temu does collect data related to your contacts via social media, the notion that Temu can gain access to "literally everything on your phone" stems from the discovery of aggressive malware in Pindoudou. Beginning in February 2023, several reports revealed unambiguous evidence that Pindoudou contained dangerous and illegal spyware. As reported by CNN in April 2023:

CNN spoke to half a dozen cybersecurity teams from Asia, Europe and the United States — as well as multiple former and current Pinduoduo employees — after receiving a tipoff.

Multiple experts identified the presence of malware on the Pinduoduo app that exploited vulnerabilities in Android operating systems. Company insiders said the exploits were utilized to spy on users and competitors, allegedly to boost sales.

The malware identified by researchers gave the app privileges and visibility into other apps without the user's knowledge or consent:

The researchers found code designed to achieve "privilege escalation": a type of cyberattack that exploits a vulnerable operating system to gain a higher level of access to data than it's supposed to have, according to experts.

"Our team has reverse engineered that code and we can confirm that it tries to escalate rights, tries to gain access to things normal apps wouldn't be able to do on Android phones," said [Cybersecurity expert Mikko] Hyppönen.

The app was able to continue running in the background and prevent itself from being uninstalled, which allowed it to boost its monthly active user rates, Hyppönen said. It also had the ability to spy on competitors by tracking activity on other shopping apps and getting information from them, he added.

These elevated privileges allowed the app access to chats and photos. Cybersecurity expert Sergey Toshin told CNN that "the exploits allowed Pinduoduo access to users' locations, contacts, calendars, notifications and photo albums without their consent. They were also able to change system settings and access users' social network accounts and chats, he said.

The malware was found only on an "off store" version of the app designed for Android users. China blocks both the Apple Store and the Google Play store, and mobile apps are downloaded from other "off-store" third party websites.

"By collecting expansive data on user activities," CNN reported, "the company was able to create a comprehensive portrait of users' habits, interests and preferences," which "allowed [Pindoudou] to improve its machine learning model to offer more personalized push notifications and ads, attracting users to open the app and place order."

According to a source familiar with Pindoudou's operations who spoke to CNN, the company targeted rural areas in China with the malware in an effort to keep a low profile:

It was in 2020, according to a current Pinduoduo employee, that the company set up a team of about 100 engineers and product managers to dig for vulnerabilities in Android phones, develop ways to exploit them — and turn that into profit.

According to the source, who requested anonymity for fear of reprisals, the company only targeted users in rural areas and smaller towns initially, while avoiding users in megacities such as Beijing and Shanghai.

"The goal was to reduce the risk of being exposed," they said.

In response, Google Play removed Pindoudou from its store and flagged the software as dangerous. Following public exposure of these actions in March 2023, Pindoudou fired the team of researchers responsible for exploiting Android vulnerabilities for Pindoudou's benefit.

While security experts have not identified any such Malware in Temu, valid concerns exist about the methods employed by other companies under the umbrella of PDD Holdings. As CNN reported, Temu now employs many of those fired programmers.

The Bottom Line

The question "is Temu legit" is presently ubiquitous on the internet thanks to Temu's aggressive ad buys, its apparent comfort at operating at a loss, and its flashy low prices. On the one hand, you will likely be able to buy and eventually receive cheap products that are similar to the products advertised on its site. In that sense, the website is "legit."

On the other hand, the methods Temu's parent company uses, including its open disregard for privacy regulation and its desire to cheat its competition and harvest personal data for profit, are extremely concerning to U.S. security regulators. While there is presently no evidence that Temu itself is malware, the corporate history and business ethics of PDD Holdings makes these concerns legitimate, as well.

Sources

Kharpal, Arjun. "Chinese E-Commerce Giant PDD Splashes on Super Bowl Ad for Its Temu U.S. Shopping Site." CNBC, 13 Feb. 2023, https://www.cnbc.com/2023/02/13/super-bowl-2023-temu-ads-launched-by-chinese-e-commerce-giant-pinduoduo.html.

Komando, Kim. "Is Temu Legit? Cybersecurity Expert Warns It's Not the Bargain You Want, Coupon Codes Aside." USA TODAY, https://www.usatoday.com/story/tech/columnist/komando/2023/04/20/delete-temu-app-cybersecurity-expert-advice/11667796002/. Accessed 5 June 2023.

Liu, Nectar Gan, Yong Xiong,Juliana. "Google Suspends Chinese Shopping App Pinduoduo over Malware | CNN Business." CNN, 21 Mar. 2023, https://www.cnn.com/2023/03/21/tech/china-google-pinduoduo-malware-app-intl-hk/index.html.

---. "'I've Never Seen Anything like This:' One of China's Most Popular Apps Has the Ability to Spy on Its Users, Say Experts | CNN Business." CNN, 2 Apr. 2023, https://www.cnn.com/2023/04/02/tech/china-pinduoduo-malware-cybersecurity-analysis-intl-hnk/index.html.

PDD Holdings Inc: Form 20-F. United States Securities and Exchange Commission, 2022, https://investor.pddholdings.com/static-files/83d4cabc-ff91-4fe2-919f-747d9bf74709.

"PDD Holdings Inc. (PDD)." Yahoo Finance, 2 June 2022, https://finance.yahoo.com/quote/PDD?p=PDD&guccounter=1 history.

Temu: An In-Depth Look as Data and Malware Concerns Spike - Grit Daily News. 17 May 2023, https://gritdaily.com/temu-data-collection-concerns/.

"The Truth About Temu, the Most Downloaded New App in America." Time, 29 Dec. 2022, https://time.com/6243738/temu-app-complaints/.

"This App Promises You Can 'shop like a Billionaire.' But Is There a Catch?" Los Angeles Times, 2 May 2023, https://www.latimes.com/business/story/2023-05-02/what-is-temu-ecommerce-app-china-ban.

深蓝. "「 深蓝洞察 」2022 年度最'不可赦'漏洞." Weixin Official Accounts Platform, http://mp.weixin.qq.com/s?__biz=MzkyMjM5MTk3NQ==&mid=2247484287&idx=1&sn=73ebf1ae3aee7bbe1a1e479246fbd7f7&chksm=c1f447b7f683cea15c656c01f1169458efe9f11448732c7189a053edbee3a99af280e4c60f8a#rd. Accessed 5 June 2023.

Alex Kasprak is an investigative journalist and science writer reporting on scientific misinformation, online fraud, and financial crime.