Arizona Attorney General Kris Mayes has filed a lawsuit against Chinese-owned e-commerce platform Temu, alleging covert data theft, use of malware, and systematic consumer deception in violation of the Arizona Consumer Fraud Act.
The lawsuit targets both Temu’s US operator Whaleco Inc. and its Chinese parent company PDD Holdings, formerly Pinduoduo Inc. Arizona’s forensic investigation uncovered that the Temu app, which became the most downloaded shopping app in the US in 2023, is not merely a retail platform but functions as a sophisticated surveillance tool harvesting vast amounts of sensitive user data without consent.
Founded in 2022, Temu rapidly gained traction in the US with its “shop like a billionaire” campaigns, including high-profile Super Bowl ads. The company now facilitates tens of millions of shipments annually through a network of over 80,000 China-based sellers.
The legal complaint is based on a months-long forensic investigation conducted by Arizona’s Attorney General’s Office, which scrutinized the Temu app and its predecessor, the Pinduoduo app. The analysis revealed that Temu was designed with the intent to evade scrutiny, reconfigure itself after installation, and surreptitiously harvest user data, including:
- Real-time GPS location, even when location permissions were disabled
- Microphone and camera access
- Lists of installed apps and associated accounts
- Unique device identifiers like IMEI, MAC address, and advertising IDs
- WiFi network information, enabling passive location tracking
Much of the app’s behavior is enabled through proprietary frameworks like “Manwe” and “ZipPatch”, which allow Temu to bypass the Apple App Store and Google Play Store’s security oversight by pushing code updates directly to users’ devices, essentially letting the app “self-edit” post-installation.
The State’s findings confirm that Temu retains code and security-evading features directly copied from the Pinduoduo app, which Google had banned in March 2023 for containing malware.
Temu’s parent company, PDD Holdings, is registered in the Cayman Islands but operates from China and, more recently, claims executive offices in Ireland. The complaint highlights that Chinese law compels companies like PDD Holdings to cooperate with state intelligence agencies, raising fears that data collected through Temu could be shared with the Chinese government.
According to the lawsuit, “It can reasonably be assumed that the data Temu is illicitly collecting from Arizona users is being sent to and used by the Chinese government.”
Beyond the app’s surveillance capabilities, the State accuses Temu of routine consumer fraud, including advertising counterfeit goods that resemble those of trusted Arizona brands such as Fender Guitars, the Arizona Cardinals, and state universities. Also, Temu is accused of delivering products that differ from what was advertised, faking product reviews, mischarging customers, and using bait-and-switch referral schemes promising rewards that never materialize.
Attorney General Mayes is seeking a permanent injunction that would ban Temu from collecting or storing Arizonans’ personal data, halt deceptive trade practices, and impose civil penalties and restitution.
The State of Montana has already banned the app from government devices, and a US congressional investigation is underway over Temu’s data collection practices.
Leave a Reply