REASON The Temu application is prohibited from entering Indonesia
HOLIDAY NEWS - The reason why the government prohibits the Temu application from entering and operating in Indonesia has been revealed. An e-commerce application from China, Temu, has recently become a topic of conversation in Indonesia. This is because marketplace applications such as Tokopedia, Shopee, etc. are prohibited from entering the country due to the potential to harm the domestic market, including micro, small and medium enterprises (MSMEs).
Apart from the business competition aspect, apparently Temu is also considered dangerous due to security and privacy factors.
This security and privacy threat was discussed by a public research company called Grizzly Research. According to research by this United States-based company, the Temu application, which can be downloaded on Android and iOS, has a series of characteristics of the most aggressive forms of malware and spyware. Malicious software (malware) is dangerous software that is specifically designed to disrupt, damage or steal information from a user's device.
AI Investors Pay More Attention to Neighboring Countries Kompas.id Article On the other hand, spyware is a type of malware that is installed on a device without the user's knowledge, which is capable of collecting personal and sensitive information such as passwords and credit card numbers.
The characteristics in question include the presence of hidden functions, which allow massive data theft without the user's knowledge. This could potentially give criminals full access to almost all the data on a user's mobile device.
In the source code of the Temu application which was analyzed by various data security experts with Grizzy Research, a package compile function using runtime.exec was found.
This allows new programs to be created within the application.
This program is not visible to security scans before or after application installation. The program was also not visible in deeper penetration testing.
In this way, Temu could fulfill various requirements and tests to enter application stores such as the Google Play Store, even though it actually has an open door (backdoor) that can be misused to steal user data.
For example, Meeting could simply send source code to its applications, encrypted and masked as non-suspicious data.
This code is then compiled into a file that can be executed on the user's smartphone.
This file can then become malicious in the future, which can be controlled by foreign servers.
This file is also said to be adaptable, aka reactive to updates to the application.
The next characteristic, Meeting wants all the information about all the files on the user's device with reference to the "EXTERNAL_STORAGE" permission, which is actually an administrator (superuser) right.
In other words, depending on the specific Android version, the Meeting app can be used to read, process, and modify all user and system data, including chat logs, images, and user content in other apps.
Grizzy Research also claims that Temu has a file upload function, which is based on a command server connected to their application programming interface (API, useful for connecting several software/applications), "us.temu.com". This means that once a user grants file storage permission to the Temu app, without even realizing it, Temu can remotely collect all the files on the user's device and send them to their own servers. The same applies to other permissions.
Sued by the attorney general
This Grizzly Research report was used by Tim Griffin as Attorney General of Arkansas, United States, to sue Temu.
Griffin filed this lawsuit in June 2024. Griffin cited an investigation that accused PDD Holdings (the owner of Temu) of being a fraudulent company, and that Temu was cleverly concealed spy software and posed an urgent security threat to the United States. Griffin also cited various research reports and news media that revealed the design of the Meeting app. It is claimed this design could intentionally allow Temu to gain unfettered access to a user's phone operating system (OS), including the camera and text messages.
"Temu is designed to make this broad access undetectable, even by sophisticated users," Griffin's lawsuit states.
"Once installed, Meeting can recompile itself and change properties, including overriding data privacy settings that users say they have implemented themselves," he added.
Temu is also suspected of having or planning to illegally sell data stolen from Western countries, to maintain a business model that is doomed to failure. It is called that because cheap shopping applications such as Temu, have been proven not to provide sustainable profits. Griffin hopes that a trial jury will find that Temu's alleged practices, violate the Arkansas Deceptive Trade Practices Act (ADTPA) and the Arkansas Personal Information Protection Act.
If Temu loses, the company could be fined 10,000 US dollars (equivalent to IDR 153.9 million) per ADTPA violation, as well as ordered to return profits from sales of data, and fraudulent sales on the application.
Temu's Response A Temu spokesperson, speaking to technology news site Ars Technica, was shocked by the lawsuit.
"The accusations in the lawsuit are based on misinformation circulating on the internet, especially from stock sellers, and are completely baseless," said a Temu spokesperson as quoted by KompasTekno from Ars Technica, Thursday (3/10/2024).
"We categorically deny these allegations and will defend ourselves vigorously," the Temu spokesperson continued. Temu plans to defend itself against the lawsuit.
At the same time, the company also seems potentially open to making changes based on the criticism leveled in Griffin's lawsuit. "We understand that as a new company with an innovative supply chain model, some people may misunderstand us at first glance and not welcome us," said a Temu spokesperson.
"We are committed to the long term and believe that supervision (of us) will ultimately benefit our development. We are confident that our actions and contributions to society will speak for themselves as time goes by," he concluded. (*)