Arkansas AG lawsuit claims Temu’s shopping app is ‘dangerous malware’

Arkansas Attorney General Tim Griffin made sweeping claims against e-commerce app Temu in a lawsuit on Tuesday, accusing the company of violating state law against deceptive trade practices.

“Temu purports to be an online shopping platform, but it is dangerous malware, surreptitiously granting itself access to virtually all data on a user’s cell phone,” Griffin alleges.

“Temu’s conduct came to light following the removal of the Pinduoduo app from Google’s Play Store due to the presence of malware that exploited vulnerabilities in users’ phone operating systems and allowed the app not only to gain undetected access to virtually all data stored on the phones, but also to recompile itself and potentially change its properties once installed, in a manner designed to avoid detection,” the lawsuit claims, pointing to concerns from Apple about Temu’s compliance with data security transparency standards. Apple told Politico last year the app was available on its app store after resolving the concerns.

The lawsuit alleges that Temu’s app may be even more dangerous than Pinduoduo’s. It cites an article from Grizzly Research, a firm “focused on producing differentiated research insights on publicly traded companies through in-depth due diligence.” The lawsuit cites findings in the report that “the Temu app has the capability to hack users’ phones and override data privacy settings that users have purposely set to prevent their data from being accessed.”

The AG claims that Temu collects far more data than necessary to run a shopping app, including sensitive or personally identifiable information. For example, the suit alleges that Temu misleads users in its requests to access information, such as location, when uploading a photo. “A reasonable consumer would assume that the location permission is confined to the use of photo uploads. The permission, however, extends to any time the user engages with the Temu app,” the suit claims. It also alleges that Temu “sneaks” permissions to access audio and visual recording and storage on a device.

Temu, Google, and Apple did not immediately respond to requests for comment.