by loganfrederick on 9/7/23, 11:18 PM with 75 comments
by Calavar on 9/7/23, 11:57 PM
> You agree that the information on this website is copyrighted, and you therefore agree not to distribute this information (whether the downloaded _le, copies / images / reproductions, or the link to these _les) in any manner other than by providing the following link: http://GRIZZLYREPORTS.COM
So this HN submission is in violation of their (probably unenforceable) TOS just by virtue of linking to a path other than the root path of the domain.
> If you have obtained research published by Grizzly Research LLC in any manner other than by download from that link, you may not read such research without going to that link and agreeing to the Terms of Use on the Grizzly Research LLC designated website.
Quite ridiculous to expect that you can enforce a directive (don't read this article) on someone who hasn't visited your site and is therefore probably unaware that your TOS even exist.
by klik99 on 9/8/23, 12:36 AM
This has literally been every startup in SV for the last 15 years - aggressively lose money aquiring users when new and then when you've killed the competition, start making money. The only thing is I don't see any external funding, so maybe they're doing it with hidden funding or a stockpile from PDD?
This feels like a lot of weak sauce, from the weird combo of clickbait title with CYA "We Believe", throwing a bunch of weak evidence all at once, overwhelming you into accepting the premise. If you have "smoking gun" evidence like they claim, then you wouldn't need to hedge your statement with "We believe". And this is a investment research company, not a security company. I'd sooner believe a pillow salesman ranting about the deep state than this.
~Edit~ Counterpoint: looks like their other main product Pinduoduo was removed from Google Play due to malware, so it could actually be true. https://krebsonsecurity.com/2023/03/google-suspends-chinese-...
But I stand by my previous statement that literally nothing in this article is actual evidence, so if does turn out to be true it's a coincidence.
by duskwuff on 9/8/23, 12:05 AM
"cmd package compile" doesn't compile source code at runtime. It forces ahead-of-time compilation of an application's existing bytecode, which is something which Android already does on an as-needed basis. I'm not sure why the Temu app would be running this command (performance, maybe?), but it isn't clearly dangerous either.
https://source.android.com/docs/core/runtime/jit-compiler
The rest of the analysis doesn't seem much better, e.g.
> 3) TEMU queries information related to files, and not just its own files, but wants information on all files on the user’s device by referencing “EXTERNAL_STORAGE”, superuser rights and log files.
The EXTERNAL_STORAGE permission is literally just external storage, like the name implies. It doesn't grant access to files in internal storage, like other applications' data or system logs.
> 5) “Root” access. TEMU checks if a device has “root” access.
Yes, this is fairly common. (And indeed, the table at the top of the report notes that most of the other shopping apps they analyzed did this.)
> 6) Encryption, decryption and shifting integer signals libraries are in prior versions of Pinduoduo and TEMU apps. The only purpose of this is obscuration of malicious intent.
I'm not even sure what they're trying to suggest by this. Are they actually assuming that any use of bit-shifting operators is malicious?
> 10) [...] The TEMU app even reads and stores the MAC address, which is a unique and global hardcoded network identifier of a device. This is a big No No in internet security. A Distributed Denial of Service (DDOS) attack and other unwanted security probes could conceivably be launched against a disclosed MAC address.
This is complete nonsense. MAC addresses don't work like that.
> 11) Looking over your shoulder while you use your smartphone. TEMU calls getWindow().getDecorView().getRootView(), to make screenshots
That only captures the appearance of the Temu application, not other applications on the system.
by alsdkjasldkj on 9/7/23, 11:59 PM
> TEMU is estimated ( Link ) to be losing $30 per order. Its ad spending and shipping costs (1-2 weeks from China, expedited to U.S. delivery) are astronomical. One is left wondering how this business could ever be profitable.
> TEMU is a notoriously bad actor in its industry. We see rampant user manipulation, chain-letter-like affinity scams to drive signups, and overall, the most aggressive and questionable techniques to manipulate large numbers of people to install the app.
> TEMU is demonstrably more dangerous than TikTok. The app should be removed from the Google and Apple app stores.
Grizzly Reports (https://twitter.com/ResearchGrizzly) is "focused on producing differentiated research insights on publicly traded companies through in-depth due diligence."
This seems like low quality junk to me.
by joneholland on 9/7/23, 11:57 PM
Are they short PDD? Tough choice considering china stocks are so manipulated you’ll go broke before the truth is revealed.
by dragontamer on 9/7/23, 11:46 PM
I think this blogpost is hyperbolic in its discussion and that's a bit unhelpful. But this does look like a serious problem on my first glance. I'd like to see what a real Android-developer thinks about these permissions though.
by Havoc on 9/7/23, 11:59 PM
Also Noticed that they were specifically pushing in app purchases hard with discounts etc.
…but didn’t connect the dots between those two odd things.
by pie_flavor on 9/8/23, 12:20 AM
Which is why I'm three times as suspicious of this site, which makes similarly ludicrous claims under the guise of malware research, like being able to DDoS a revealed MAC address. I am supposed to believe this article, whether or not it's true.
I understand the need to scattershot claims - if they just said 'TEMU has the ability to install packages onto your phone' then TEMU would issue some apology and release a new version that's sneakier about it.
But please, instead of smacking me in the face with a TOS/disclaimer that's supposed to ward off litigation over false/misleading claims, just don't publish false/misleading claims! Because that gives them the ammunition to say 'the stuff people are saying about TEMU is all lies'.
by saagarjha on 9/8/23, 12:30 AM
by kylehotchkiss on 9/8/23, 12:02 AM
The time is coming for Apple to support iCloud private relay for all 3rd party apps. Ideally nothing is leaving the phone without it shortly.
by daft_pink on 9/7/23, 11:57 PM
by diogenes4 on 9/8/23, 1:04 AM
by nonethewiser on 9/8/23, 12:11 AM
This website is questionable and I could really only find this other source or ones like it: https://www.usatoday.com/story/tech/columnist/komando/2023/0...
Still light on details and Im not sure who this Komanda person is but there is some real appeal to authority going on and no hard evidence of the claims.
Again, I would not be surprised if it was spyware and it seems wise to be suspicious. Hopefully we get more information.
by nonethewiser on 9/8/23, 12:05 AM
by sharkweek on 9/8/23, 1:16 AM
I’d honestly estimate 20% of the ads I see on websites now are TEMU. I’ve never clicked on one, and will never sign up. If they stop advertising the ad market will feel the waves.
The products being advertised to me are WILDLY irrelevant. It feels like they’re just shooting a shotgun into the air.
It looks like they’re selling only the cheapest stuff, like cutting the middleperson of the FIVE CAPITAL LETTER brand names that use Amazon Marketplace. As much as I don’t trust a plunger or measuring cup from HYYNA, I trust TEMU quality even less.
by winrid on 9/8/23, 12:09 AM
by croes on 9/8/23, 12:51 AM
THIS REPORT AND ALL STATEMENTS CONTAINED HEREIN ARE THE OPINIONS OF GRIZZLY RESEARCH LLC AND ARE NOT STATEMENTS OF FACT.
by modeless on 9/8/23, 12:02 AM
Temu sometimes gives you more flexibility to order a single copy of small items while Amazon might only have bundles. But then Temu has a minimum order size you must meet while Amazon doesn't. So I haven't found any reason to use Temu after their ridiculous free money coupon for new users is gone.
by mickelsen on 9/8/23, 1:53 AM
by meowtimemania on 9/8/23, 12:00 AM
by rado on 9/8/23, 4:49 AM
by ThrowawayTestr on 9/8/23, 12:30 AM
by actuallyrizzn on 9/8/23, 2:58 PM