> You agree that the information on this website is copyrighted, and you therefore agree not to distribute this information (whether the downloaded _le, copies / images / reproductions, or the link to these _les) in any manner other than by providing the following link: http://GRIZZLYREPORTS.COM
So this HN submission is in violation of their (probably unenforceable) TOS just by virtue of linking to a path other than the root path of the domain.
> If you have obtained research published by Grizzly Research LLC in any manner other than by download from that link, you may not read such research without going to that link and agreeing to the Terms of Use on the Grizzly Research LLC designated website.
Quite ridiculous to expect that you can enforce a directive (don't read this article) on someone who hasn't visited your site and is therefore probably unaware that your TOS even exist.
Ray ID: 8033126d6af60a48
In keeping with the TOS though, methinks.
It seems like that's not a logically valid statement. Linking to a page on their website isn't a copyright violation (unless I'm mistaken). And the statement seems to be saying "you agree it is copyrighted and, because you agree it is copyrighted, you must also therefore be agreeing that you aren't allowed to link to it. Which doesn't follow. It seems like saying "you agree this ball is red and, therefore, you agree it is rubber"; the two things are effectively orthogonal.
This has literally been every startup in SV for the last 15 years - aggressively lose money aquiring users when new and then when you've killed the competition, start making money. The only thing is I don't see any external funding, so maybe they're doing it with hidden funding or a stockpile from PDD?
This feels like a lot of weak sauce, from the weird combo of clickbait title with CYA "We Believe", throwing a bunch of weak evidence all at once, overwhelming you into accepting the premise. If you have "smoking gun" evidence like they claim, then you wouldn't need to hedge your statement with "We believe". And this is a investment research company, not a security company. I'd sooner believe a pillow salesman ranting about the deep state than this.
~Edit~ Counterpoint: looks like their other main product Pinduoduo was removed from Google Play due to malware, so it could actually be true. https://krebsonsecurity.com/2023/03/google-suspends-chinese-...
But I stand by my previous statement that literally nothing in this article is actual evidence, so if does turn out to be true it's a coincidence.
That is literally not true.
> But I stand by my previous statement that literally nothing in this article is actual evidence
I read the article. Some hand-wavey bits, yes, and some (probably) legal-cautious phrasing that you highlighted (eg the 'we believe' qualifier), but overall I find the evidence they've laid out to be highly compelling.
What evidence would you demand to concur that this is dangerous / spyware / a risk?
Ok, I was exaggerating. Rather - It is either the dominant or one of the major strategies for VC funded SV companies at early stages. Aggressively lose money acquiring users. Even happens outside VC. The wired article linked in this article includes many good reasons why it's losing money: https://www.wired.com/story/temu-is-losing-millions-of-dolla...
Look, temu sounds scummy as hell - sounds like they can't compete in the Chinese market and trying to make a hail mary in the US market by being incredibly aggressive and using manipulative techniques.
> overall I find the evidence they've laid out to be highly compelling.
Have you ever worked on smartphone apps? There is nothing out of the ordinary, you can see that in the matrix of "security issues" - all other major apps use those things. The only thing that could be confusing is using the jit but temu includes games so it's probably a scripting language in those games. The jit isn't a security threat in itself - maybe an insecure language could run exploits, but there is not evidence of that happening. It can't create whole new programs with whole new permissions like this article implies.
> What evidence would you demand to concur that this is dangerous / spyware / a risk?
Anything out of the ordinary, other than a bunch of stuff that's normal plus big scary china. Specifically an example of it escalating access privileges would be a smoking gun.
Now - the fact that big companies have massive databases with names and addresses of people is a real issue. This is not unique to Temu or Chinese companies, and doesn't make Temu a spyware app.
My 60yo mother gets messaged every day on wechat from young Chinese ppl asking her to buy stuff on temu, they're all unemployed otherwise.
"cmd package compile" doesn't compile source code at runtime. It forces ahead-of-time compilation of an application's existing bytecode, which is something which Android already does on an as-needed basis. I'm not sure why the Temu app would be running this command (performance, maybe?), but it isn't clearly dangerous either.
https://source.android.com/docs/core/runtime/jit-compiler
The rest of the analysis doesn't seem much better, e.g.
> 3) TEMU queries information related to files, and not just its own files, but wants information on all files on the user’s device by referencing “EXTERNAL_STORAGE”, superuser rights and log files.
The EXTERNAL_STORAGE permission is literally just external storage, like the name implies. It doesn't grant access to files in internal storage, like other applications' data or system logs.
> 5) “Root” access. TEMU checks if a device has “root” access.
Yes, this is fairly common. (And indeed, the table at the top of the report notes that most of the other shopping apps they analyzed did this.)
> 6) Encryption, decryption and shifting integer signals libraries are in prior versions of Pinduoduo and TEMU apps. The only purpose of this is obscuration of malicious intent.
I'm not even sure what they're trying to suggest by this. Are they actually assuming that any use of bit-shifting operators is malicious?
> 10) [...] The TEMU app even reads and stores the MAC address, which is a unique and global hardcoded network identifier of a device. This is a big No No in internet security. A Distributed Denial of Service (DDOS) attack and other unwanted security probes could conceivably be launched against a disclosed MAC address.
This is complete nonsense. MAC addresses don't work like that.
> 11) Looking over your shoulder while you use your smartphone. TEMU calls getWindow().getDecorView().getRootView(), to make screenshots
That only captures the appearance of the Temu application, not other applications on the system.
This is true.
> A Distributed Denial of Service (DDOS) attack and other unwanted security probes could conceivably be launched against a disclosed MAC address.
This is extremely painful for me to read. I don't even know how to describe how this is wrong.
This is true of almost all PC network cards nowadays, and you should be able to turn this on easily.
> TEMU is estimated ( Link ) to be losing $30 per order. Its ad spending and shipping costs (1-2 weeks from China, expedited to U.S. delivery) are astronomical. One is left wondering how this business could ever be profitable.
> TEMU is a notoriously bad actor in its industry. We see rampant user manipulation, chain-letter-like affinity scams to drive signups, and overall, the most aggressive and questionable techniques to manipulate large numbers of people to install the app.
> TEMU is demonstrably more dangerous than TikTok. The app should be removed from the Google and Apple app stores.
Grizzly Reports (https://twitter.com/ResearchGrizzly) is "focused on producing differentiated research insights on publicly traded companies through in-depth due diligence."
This seems like low quality junk to me.
So basically like facebook?
Are they short PDD? Tough choice considering china stocks are so manipulated you’ll go broke before the truth is revealed.
I think this blogpost is hyperbolic in its discussion and that's a bit unhelpful. But this does look like a serious problem on my first glance. I'd like to see what a real Android-developer thinks about these permissions though.
Google clearly states that:
To use this permission, your app’s core functionality must include:
Sending or receiving app packages, AND Enabling user-initiated installation of app packages. If your app does not meet the requirements for acceptable use below, you must remove it from your app's manifest in order to comply with Google Play policy. Suggestions for policy-compliant alternative implementations are also detailed below.
Which surely doesn’t seem the case for a shopping app?
> 2) We find the android.permission entries referenced in the proprietary parts of the decompiled source code, excluding occurrences in widely used and secure standard libraries by Android, Google, Facebook, PayPal and Klarna. Why would the proprietary source code reference these permissions, if it doesn’t have the option to use them in specific scenarios? Most importantly, many of these permissions in TEMU’s source code are not listed in their Android Manifest file, which is the standardized overview source for an app. For scrutinizing permission, the Android Manifest file is the first source to check permissions. Not mentioned in the Android manifest are the permission requests for CAMERA, RECORD_AUDIO, WRITE_EXTERNAL_STORAGE, INSTALL_PACKAGES, and ACCESS_FINE_LOCATION. It is not a coincidence that these permissions are the most intrusive ones when it comes to spying potential. For comparison, all the other apps listed in the cohort table enumerate all of these permissions in their Android Manifest, if they use them at all. The only exception is ACCESS_FINE_LOCATION by TikTok.
That's... not as strong of a link as I hoped this article would make.
So the code has references to INSTALL_PACKAGES. But doesn't seem to request it yet? Am I getting the argument from this post correctly?
https://play.google.com/store/apps/details?id=com.einnovatio...
My kid bought something from Temu recently and it was ridiculously low-priced. I told him the quality must be terrible...and I was wrong. I was kind of shocked and wondered what the "catch" was.
Of course, I hadn't installed the app but wow, now I have the heebie-jeebies just thinking about it.
General Office of the Central Committee of the Chinese Communist Party
West Building
Zhongnanhai
Beijing
People's Republic of ChinaI think TEMU is a super shady company but I don’t think the app is the vector to worry about.
Also Noticed that they were specifically pushing in app purchases hard with discounts etc.
…but didn’t connect the dots between those two odd things.
No, Temu is not an ethical brand.
A U.S. Congressional Report from June 2023 raised alarming concerns about Temu and Shein’s potential links to forced labor. The report highlighted an “extremely high risk” of products on Temu being associated with forced labor, and the committee expressed particular worry about the exploitation of U.S. de minimis provisions by both companies. The de minimis threshold of $800 allows goods below this value to enter the country without inspection, which could contribute to potential issues with labor practices.
Furthermore, the report revealed that Temu lacks a specific policy against goods made in Xinjiang, where evidence suggests forced labor may occur."
Even with shipping, it’s unclear exactly how much Temu would actually be losing per order depending on how efficient their distribution network is.
Clearly China has been proven to be untrustworthy when it comes to their technology, apps included, so I tend to do the opposite of give them the benefit of the doubt, and just assume their apps are untrustworthy by default.
Which is why I'm three times as suspicious of this site, which makes similarly ludicrous claims under the guise of malware research, like being able to DDoS a revealed MAC address. I am supposed to believe this article, whether or not it's true.
I understand the need to scattershot claims - if they just said 'TEMU has the ability to install packages onto your phone' then TEMU would issue some apology and release a new version that's sneakier about it.
But please, instead of smacking me in the face with a TOS/disclaimer that's supposed to ward off litigation over false/misleading claims, just don't publish false/misleading claims! Because that gives them the ammunition to say 'the stuff people are saying about TEMU is all lies'.
The time is coming for Apple to support iCloud private relay for all 3rd party apps. Ideally nothing is leaving the phone without it shortly.
So yes, it's designed to move the stock market. That doesn't mean it's wrong, though.
This website is questionable and I could really only find this other source or ones like it: https://www.usatoday.com/story/tech/columnist/komando/2023/0...
Still light on details and Im not sure who this Komanda person is but there is some real appeal to authority going on and no hard evidence of the claims.
Again, I would not be surprised if it was spyware and it seems wise to be suspicious. Hopefully we get more information.
I’d honestly estimate 20% of the ads I see on websites now are TEMU. I’ve never clicked on one, and will never sign up. If they stop advertising the ad market will feel the waves.
The products being advertised to me are WILDLY irrelevant. It feels like they’re just shooting a shotgun into the air.
It looks like they’re selling only the cheapest stuff, like cutting the middleperson of the FIVE CAPITAL LETTER brand names that use Amazon Marketplace. As much as I don’t trust a plunger or measuring cup from HYYNA, I trust TEMU quality even less.
THIS REPORT AND ALL STATEMENTS CONTAINED HEREIN ARE THE OPINIONS OF GRIZZLY RESEARCH LLC AND ARE NOT STATEMENTS OF FACT.
Temu sometimes gives you more flexibility to order a single copy of small items while Amazon might only have bundles. But then Temu has a minimum order size you must meet while Amazon doesn't. So I haven't found any reason to use Temu after their ridiculous free money coupon for new users is gone.