this post was submitted on 27 Jun 2024
843 points (97.4% liked)

Technology

55608 readers
2727 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s
[email protected]
[email protected]
[email protected]
enu
[email protected]
L4s
843
Shopping app Temu is “dangerous malware,” spying on your texts, lawsuit claims (arstechnica.com)
submitted 2 days ago by [email protected] to c/technology
228 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 1 day ago* (last edited 1 day ago)

I hate Temu, but this (apparently contracted?) Grizzly Reports report isn't really all that trust inspiring, tbh.

Our experts identified a stack of software functions that are completely inappropriate to and dangerous

The stack difference to the Amazon app they list:

  • Package compile
  • Requesting system logs
  • Some code obfuscation
  • Mac address collection
  • Install permission
  • Wake lock

Meh. That's just a sliver worse than your regular, off the shelves proprietary corporate app. I don't see how they can pull off the promise of being a truly dynamic Android app from that report.

I do believe they hover up data, but they aren't otherworldly super hackers. They will probably just ask for the data and the users will hand it over in a second. For most people, it really is that simple.

[–] FunnyUsername 17 points 1 day ago (4 children)

Can someone explain to me how you can just simply program something to bypass privacy and security features? What is the point of having these features if you can literally just program something to ignore them? Like....??? Temu is obviously bad if this is true, but if it IS true, it shouldn't have been possible to begin with!!

[–] Juantonz 10 points 1 day ago* (last edited 1 day ago)

Im not sure how they specifically bypass the features in other ways but I imagine some of it is from users accepting permissions under the guise of another use. For example, maybe you accept the microphone permission on tik tok to record video. With that permission in theory the app could now use it maliciously. Of course it should all depend on the users choice for that and im not sure beyond the scope of that.

TORfdot0 shared this comment below:

Someone else posted this report in this thread which does a good job of the deceptive practices and API calls the app uses to trick the user into giving permissions up willingly and otherwise collect data it shouldn’t.

load more comments (2 replies)
[–] [email protected] 23 points 1 day ago* (last edited 1 day ago) (2 children)

Comments here: “Yeah right, I’ll believe it when they explain how.”

Article: literally has a section explaining how

Edit:

Replies: "Yeah, but that's just a summary. I'll believe it when they explain in full detail."

Article: literally has a link to the detailed explanation

[–] AProfessional 13 points 1 day ago* (last edited 1 day ago) (2 children)

The claim is they completely bypass all Android and iOS security is pretty unbelievable.

If so then the real discussion is how these zero day exploits are just sitting around.

EDIT: It seems the focus is on Android but all the information is nonsensical, like AI generated buzzword bingo.

load more comments (2 replies)
[–] TORFdot0 8 points 1 day ago (2 children)

It states that it’s somehow breaking the permissions sandbox by dynamically recompiling code after the app is opened. Unless there is some undisclosed exploit that it’s using to break the sandbox, it’s outside most people’s understanding of how these platforms work

load more comments (2 replies)
[–] Snapz 34 points 2 days ago (3 children)

Have any of you actually ever stopped to process what the tagline, "I'm shopping like a billionaire" means?

I've always interpreted it as,

I'm needlessly buying things that don't make me happy, but making the purchase without any hesitation, knowing that the purchase price could never financially impact me in any real way. When I purchase the thing, I'll probably never use it or actually take it out of the box even. It is just empty, hollow. And somewhere inside, I always know that it's all only possible, because I'm actively exploiting the cheap labor of scores of other people that are made to perpetually suffer in generations of abject poverty to allow for my relative comfort...

🎶*"I'm shopping like a billionaire!"*🎶

[–] FunnyUsername 15 points 2 days ago* (last edited 2 days ago) (4 children)

I am disabled and have limited income I don't have control over increasing or decreasing. I use temu to save a lot of money on essential things that should be cheap but are still overpriced in America. Sponges. Rags. Soaps. Pens. Tools. Home improvement hardware. Plant grow supplies. Gifts for me nieces. The tagline, is just a tagline. Billionaires are not like me and scouring for cheap magic sponges.

Edit: also, temu did not invent drop shipping. Shopping on amazon is literally the same thing.

load more comments (4 replies)
load more comments (2 replies)
[–] [email protected] 28 points 2 days ago* (last edited 1 day ago) (1 children)

I'm shocked, I say. Shocked!
The idea of an app being used to gather additional dat~~e~~a from a customer!

load more comments (1 replies)
[–] fne8w2ah 18 points 1 day ago (1 children)

Also fuck their landfillware Chinesium "products".

[–] chiliedogg 13 points 1 day ago (1 children)

That's also most of what's on Amazon these days.

[–] [email protected] 10 points 1 day ago (1 children)

Amazon is just faster shipped temu garbage

[–] FunnyUsername 5 points 1 day ago* (last edited 1 day ago) (2 children)

Every person I've heard hate on temu shops on amazon, too. It's pretty ironic.

load more comments (2 replies)
[–] FlyingSquid 32 points 2 days ago (5 children)

Yesterday, I saw a Temu ad for something and I just wanted to open it to read the info and there were so many popups and "spin the wheel for a prize" and "enter your email here" and so on that I gave up and just looked for the info elsewhere. Never clicking on a Temu link again.

load more comments (5 replies)
[–] TwitchingCheese 66 points 2 days ago (6 children)

How about pass and enforce strong digital privacy protection laws you fucking cowards. When other countries spy on us it's scary and bad, but for US companies? Best we can do is ban porn and demand backdoors to stop E2EE messaging.

load more comments (6 replies)
[–] dhork 194 points 2 days ago (7 children)

"Temu is designed to make this expansive access undetected, even by sophisticated users," Griffin's complaint said. "Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place."

That's just nuts

[–] [email protected] 104 points 2 days ago* (last edited 2 days ago) (5 children)

Yeah, it is. It's such an extraordinary claim.

One requiring extraordinary evidence that wasn't provided.

"It's doing amazing hacks to access everything and it's so good at it it's undetectable!" Right, how convenient.

[–] GenitalHurricane 95 points 2 days ago* (last edited 2 days ago) (2 children)

Libmanwe-lib.so is a library file in machine language (compiled). A Google search reveals that it is exclusively mentioned in the context of PDD software—all five search results refer to PDD’s apps. According to this discussion on GitHub, “the malicious code of PDD is protected by two sets of VMPs (manwe, nvwa)”. Libmanwe is the library to use manwe.

An anonymous user uploaded a decompiled version of libmanwe-lib to GitHub. It reads like it is a list of methods to encrypt, decrypt or shift integer signals, which fits the above description as a VMP for the sake of hiding a program’s purpose.

In plain words, TEMU’s app employed a PDD proprietary measure to hide malicious code in an opaque bubble within the application’s executables

load more comments (2 replies)
load more comments (4 replies)
load more comments (6 replies)
[–] maxinstuff 33 points 2 days ago (12 children)

All I want to know is what do these Temu people think my life is like?

[–] brlemworld 19 points 2 days ago

Are you a busty outdoorswoman?

[–] UnaSolaEstrellaLibre 16 points 2 days ago (2 children)

Weaponized fishing for covert military operations.

[–] Raiderkev 10 points 2 days ago

On a skateboard... with tits!

load more comments (1 replies)
[–] [email protected] 15 points 2 days ago (5 children)

I mean, you're obviously a sexy military mechanic woman, who goes into battle with fantasy battle armor and goes fishing as a hobby! Duh.

load more comments (5 replies)
[–] [email protected] 6 points 1 day ago* (last edited 21 hours ago)

It just thinks you’re a garden variety redneck.

load more comments (8 replies)
[–] [email protected] 115 points 2 days ago (12 children)

I'm sure Temu collects all information you put into the app and your behaviour in it, but this guy is making some very bold claims about things that just aren't possible unless Temu is packing some serious 0-days.

For example he says the app is collecting your fingerprint data. How would that even happen? Apps don't have access to fingerprint data, because the operating system just reports to the app "a valid fingerprint was scanned" or "an unknown fingerprint was scanned", and the actual fingerprint never goes anywhere. Is Temu doing an undetected root/jailbreak, then installing custom drivers for the fingerprint sensor to change how it works?

And this is just one claim. It's just full of bullshit. To do everything listed there it would have to do multiple major exploits that are on state-actor level and wouldn't be wasted on such trivial purpose. Because now that's it's "revealed", Google and Apple would patch them immediately.

But there is nothing to patch, because most of the claims here are just bullshit, with no technical proof whatsoever.

[–] GenitalHurricane 66 points 2 days ago (2 children)
[–] MajinBlayze 72 points 2 days ago* (last edited 2 days ago) (6 children)

Here's the actual relevant part

These are security risks to be sure, and while these permissions are (mostly) on the surface, possibly defensible, together they do clearly represent an app trying to gather all of the data that it can.

However, a lot of info from this report is overblown. For example code compilation is sketchy to be sure, but without a privilege escalation attack, it can't do anything the app couldn't do with an update.

Also, there's some weird language in the report, like counting the green security issues in other apps (like tiktok) as if they were also a problem, despite the image showing that green here means it doesn't present that particular risk.

All of this to say, if you have temu, probably uninstall it. It's clearly collecting all the data it can get.

But it's unlikely to be the immediate threat that will have China taking over your phone like this report implies.

load more comments (6 replies)
load more comments (1 replies)
load more comments (11 replies)
[–] [email protected] 19 points 2 days ago

Like a worse AliExpress

[–] nicgentile 49 points 2 days ago* (last edited 2 days ago) (22 children)

The irony

[–] [email protected] 38 points 2 days ago (21 children)

First, you use Lemmy, that's great. But pls use a client without ads....

load more comments (21 replies)
load more comments (21 replies)
[–] Etterra 66 points 2 days ago (47 children)

I can't believe anyone would buy from Temu. I knew they were Chinese knockoff bullshit the second I saw their first obnoxious ad.

load more comments (47 replies)
[–] [email protected] 4 points 1 day ago

Not enough just to get someone else to take your cheap plastic shit to landfill after it's cluttered their space then I guess.

[–] RozhkiNozhki 77 points 2 days ago (7 children)

Temu is absolute cancer in terms of business practices so no surprise here at all.

load more comments (7 replies)
load more comments
view more: next ›