← Shopping Apps
F

Temu

Fail
PDD Holdings · 🇨🇳 China
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
Manufacturer: PDD Holdings

⚠️ The bottom line

In September 2023, short-seller Grizzly Research hired independent security experts to tear apart Temu's code. They found 18 dangerous software functions — every red flag on their checklist — including runtime.exec(), which lets the app inject new code onto your phone after install, completely bypassing app store reviews. The experts unanimously called Temu "very virulent malware/spyware." By February 2026, Texas AG Ken Paxton had filed suit calling it "Chinese Communist spyware disguised as a shopping app." The app can literally rewrite itself on your phone without your knowledge. In March 2023, Google suspended Pinduoduo — Temu's sister app from the same parent company — from the Play Store after discovering it exploited roughly 50 Android vulnerabilities. Security researcher Toshin called it "the most dangerous malware ever found among mainstream apps." PDD Holdings had hired 100 programmers specifically to find exploitable holes in Android. Grizzly Research later found Temu shares the same underlying codebase as the malware-laden Pinduoduo. The company that built that app then built Temu.

Legal jurisdiction
🇨🇳 China (headquarters)
National Intelligence Law read more →
Company must secretly hand data to Chinese intelligence on request
Data Security Law read more →
State can classify any data as 'important' and demand access for national security
Spying
4/4 EXTREME
Is someone spying on me?
Kids at risk
Data Sharing
4/4 EXTREME
Who gets my data?
Kids at risk
Security
4/4 EXTREME
Is it actually secure?
Honesty
3/4 HIGH
Can I trust what they say?
Kids at risk
REPLACE Extreme risk. Look for alternatives or lock down hard.
9Contradictions
5Critical
4High
0Medium
8Sources
Findings by concern
Spying 4/4 EXTREME 5 findings
⚠️ criticalpolicy claims vs regulatory findings
China's National Intelligence Law, Article 7, compels every Chinese organization to "support, assist, and cooperate with national intelligence work." PDD Holdings is a Chinese company. The Center for Strategic and International Studies concluded Temu gives the CCP "an unprecedented vector for surveillance and collection." Texas AG Ken Paxton put it bluntly: Temu collects personal data designed to hide that it's "subject to unfettered use by an adversarial government." When 300 million Americans install this app, they're potentially handing biometric and behavioral data to Chinese intelligence.

What they claim: Temu's privacy policy implies user data is handled responsibly with appropriate safeguards.

What we found: Under China's National Intelligence Law Article 7, Chinese organizations must support and cooperate with intelligence work. CSIS concluded Temu could give the CCP an unprecedented vector for surveillance. Texas AG alleged Temu collects PII to prevent users from knowing it's subject to unfettered use by an adversarial government. Code is deliberately obfuscated to hide these functions.

⚠️ criticalmarketing vs regulatory
Arkansas sued Temu, calling it "dangerous malware." The state alleges the app accesses your camera, microphone, texts, contacts, and other apps — everything on your phone — for a shopping app. Temu's parent company is in China. You downloaded a bargain store. Arkansas says you downloaded spyware with a shopping cart.

What they claim: Temu promotes itself as an affordable shopping platform

What we found: Arkansas filed a lawsuit against Temu in 2024 alleging the app is "dangerous malware" that gains access to virtually all data on users' phones. The lawsuit claims Temu can access camera, microphone, GPS, contacts, text messages, and other installed apps — far beyond what a shopping app needs. Temu's parent company PDD Holdings is based in China and subject to China's National Intelligence Law.

⚠️ criticalpolicy vs regulatory
Oklahoma's Attorney General sued Temu in May 2026, saying the app "secretly infiltrates" your phone to access your microphone, camera, location, and what you do in other apps. Texas called it "spyware disguised as a shopping app." Kentucky piled on. Four state governments now say the same thing: this isn't a shopping app, it's a surveillance tool with a checkout button.

What they claim: Temu's privacy policy presents standard data collection for shopping functionality.

What we found: In May 2026, Oklahoma AG filed suit alleging Temu "secretly infiltrates users' devices" to access precise location, microphone, camera, and activity on other apps. Texas AG called it "spyware disguised as a shopping app" in February 2026. Kentucky AG also sued. Four state attorneys general are now actively litigating against Temu.

⚡ highpolicy claims vs app permissions
Nebraska AG Michael Hilgers filed suit in June 2025 revealing Temu wants your call logs, contacts, photos, microphone, camera, gyroscope, clipboard, and Bluetooth access. It also scans your phone for WhatsApp, Signal, Telegram, Discord, and other apps. A shopping app has no reason to know what messaging apps you use or to access your gyroscope. Nebraska found it "unlawfully harvests data, including from kids." By 2026, at least five states — Texas, Nebraska, Kentucky, Arkansas, and Illinois — had filed lawsuits.

What they claim: Temu collects data to improve shopping experience and provide services.

What we found: Multiple state AG lawsuits document Temu requesting call logs, contacts, photos, location, microphone, camera, gyroscope, clipboard, and Bluetooth. Nebraska AG found the app scans for other installed apps including WhatsApp, Signal, Telegram, and Discord. The app can auto-install software without consent.

⚡ highpolicy claims vs app permissions
Temu says you must be 18 to use it. Meanwhile, Nebraska AG Michael Hilgers found the app "unlawfully harvests data, including from kids" with zero meaningful age verification. The app uses spin-the-wheel games, countdown timers, and daily rewards — addiction mechanics designed to hook young users. Kentucky AG Russell Coleman followed in July 2025 with similar allegations. The app that claims to be adults-only was designed with the dopamine-hijacking playbook of a casino slot machine, and children are pulling the lever while their data flows to servers subject to Chinese intelligence law.

What they claim: Temu's terms state users must be 18 or have parental consent.

What we found: Nebraska AG alleged Temu unlawfully harvests data including from kids. The app uses gamification — spin-the-wheel, countdown timers, daily rewards — designed to be addictive to minors. No meaningful age verification. Kentucky AG's July 2025 lawsuit cited harm to children. Gamification mirrors documented social media addiction techniques.

Data Sharing 4/4 EXTREME 1 finding
⚡ highpolicy claims vs regulatory findings
You think Temu makes money selling you $2 phone cases? Grizzly Research found that in 2022, over 80% of Temu's revenue came from selling advertising services, not products. The report concluded "data sales may be PDD's true business model, selling data in truly massive quantities." The cheap goods are the bait. You are the product. Every $3 purchase is a data harvesting event that generates more value from your behavioral profile than from the transaction itself. The unsustainably low prices aren't generosity — they're the cost of acquiring your data.

What they claim: Temu is an e-commerce platform that makes money selling products.

What we found: Grizzly Research found over 80% of 2022 revenues came from selling advertising services, not products. The report argued data sales may be PDD's true business model, selling data in truly massive quantities. Temu routinely sells products below manufacturing cost as loss leaders for data harvesting.

Security 4/4 EXTREME 3 findings
⚠️ criticalpolicy claims vs app permissions
In September 2023, short-seller Grizzly Research hired independent security experts to tear apart Temu's code. They found 18 dangerous software functions — every red flag on their checklist — including runtime.exec(), which lets the app inject new code onto your phone after install, completely bypassing app store reviews. The experts unanimously called Temu "very virulent malware/spyware." By February 2026, Texas AG Ken Paxton had filed suit calling it "Chinese Communist spyware disguised as a shopping app." The app can literally rewrite itself on your phone without your knowledge.

What they claim: Temu's privacy policy states it collects only data necessary to provide the service.

What we found: Grizzly Research's September 2023 report found 18 dangerous software functions including runtime.exec() — the holy grail of malware — allowing code injection at runtime bypassing security scans. Independent experts unanimously called Temu very virulent malware/spyware. Texas AG Ken Paxton described it as Chinese Communist spyware disguised as a shopping app.

⚠️ criticalpolicy claims vs firmware analysis
In March 2023, Google suspended Pinduoduo — Temu's sister app from the same parent company — from the Play Store after discovering it exploited roughly 50 Android vulnerabilities. Security researcher Toshin called it "the most dangerous malware ever found among mainstream apps." PDD Holdings had hired 100 programmers specifically to find exploitable holes in Android. Grizzly Research later found Temu shares the same underlying codebase as the malware-laden Pinduoduo. The company that built that app then built Temu.

What they claim: Temu presents itself as a safe, standard e-commerce application.

What we found: Parent company PDD Holdings had sister app Pinduoduo suspended from Google Play in March 2023 after exploiting approximately 50 Android vulnerabilities including CVE-2023-20963. Researcher Toshin called Pinduoduo the most dangerous malware ever found among mainstream apps. PDD recruited 100 programmers to find Android exploits. Grizzly found Temu shares the same codebase.

⚡ highpolicy claims vs regulatory findings
Temu ships millions of packages directly from Chinese factories to American doorsteps using the de minimis loophole — anything under $800 skips customs entirely. Kentucky AG Coleman accused the company of using forced labor. The Uyghur Forced Labor Prevention Act presumes Xinjiang goods are made with forced labor, but Temu's direct-shipping model means those goods never pass through inspection. Congress has flagged this as both a human rights and national security concern. Your $4 gadget may have been assembled by someone who had no choice.

What they claim: Temu claims to uphold ethical business practices and comply with applicable laws.

What we found: Kentucky AG accused Temu of using forced labor in its supply chain. The US Uyghur Forced Labor Prevention Act presumes goods from Xinjiang are made with forced labor. Temu exploits the de minimis loophole — packages under $800 bypass customs — to ship millions of packages directly from Chinese factories without supply chain scrutiny.

Sources