“Temu is designed to make this expansive access undetected, even by sophisticated users,” Griffin’s complaint said. “Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place.”
That’s just nuts
This is why companies like Apple are at least a tiny bit correct when they go on about app security and limiting code execution. The fact it aligns with their creed of controlling all of the technology they sell makes the whole debate a mess, though. And it does not excuse shitty behavior on their part.
But damn
And if they got this past Apple in their platforms. That’s even wilder.
Yeah, it is. It’s such an extraordinary claim.
One requiring extraordinary evidence that wasn’t provided.
“It’s doing amazing hacks to access everything and it’s so good at it it’s undetectable!” Right, how convenient.
Libmanwe-lib.so is a library file in machine language (compiled). A Google search reveals that it is exclusively mentioned in the context of PDD software—all five search results refer to PDD’s apps. According to this discussion on GitHub, “the malicious code of PDD is protected by two sets of VMPs (manwe, nvwa)”. Libmanwe is the library to use manwe.
An anonymous user uploaded a decompiled version of libmanwe-lib to GitHub. It reads like it is a list of methods to encrypt, decrypt or shift integer signals, which fits the above description as a VMP for the sake of hiding a program’s purpose.
In plain words, TEMU’s app employed a PDD proprietary measure to hide malicious code in an opaque bubble within the application’s executables
So wait, bit-shifting some integers is now considered being malicious? Is that really the defense here? Using that definition just about all software in existence is malicious.
Bit shifting is not malicious on its own. Bit shifting to specifically conceal the purpose of your policy violating code from the auditors who audit the apps submitted to the App Store is malicious.
It’s about why you are doing it and what you are doing with it and not that it’s bit shifting on it’s own.
Have any of you actually ever stopped to process what the tagline, “I’m shopping like a billionaire” means?
I’ve always interpreted it as,
I’m needlessly buying things that don’t make me happy, but making the purchase without any hesitation, knowing that the purchase price could never financially impact me in any real way. When I purchase the thing, I’ll probably never use it or actually take it out of the box even. It is just empty, hollow. And somewhere inside, I always know that it’s all only possible, because I’m actively exploiting the cheap labor of scores of other people that are made to perpetually suffer in generations of abject poverty to allow for my relative comfort…
🎶*“I’m shopping like a billionaire!”*🎶
I am disabled and have limited income I don’t have control over increasing or decreasing. I use temu to save a lot of money on essential things that should be cheap but are still overpriced in America. Sponges. Rags. Soaps. Pens. Tools. Home improvement hardware. Plant grow supplies. Gifts for me nieces. The tagline, is just a tagline. Billionaires are not like me and scouring for cheap magic sponges.
Edit: also, temu did not invent drop shipping. Shopping on amazon is literally the same thing.
Good to know people that are disabled don’t mind using shitty maleware apps, I guess?
What’s your point combining using the malware app with you being disabled? Is that supposed to make the app better somehow?
You’re not special because you’re disabled. Things you use aren’t magical amazing. You’re still the same as everyone else.
That’s… not what they were saying? They were responding to a comment saying it encourages consumerism by saying that they use it for better prices on things they need regardless
What does being disabled have to do it?
That’s why they’re broke
Well this disabled person thinks you’re a dumb asshole.
For what reason exactly?
Other commenters have already corrected your thinking, don’t pretend like you didn’t read them.
I completely forgot about this post. I’m not going to read any more comments than I did however long ago the conversation originally was. Oh shit it’s almost 2 weeks old lmao I don’t give a fuck
I’m sure Temu collects all information you put into the app and your behaviour in it, but this guy is making some very bold claims about things that just aren’t possible unless Temu is packing some serious 0-days.
For example he says the app is collecting your fingerprint data. How would that even happen? Apps don’t have access to fingerprint data, because the operating system just reports to the app “a valid fingerprint was scanned” or “an unknown fingerprint was scanned”, and the actual fingerprint never goes anywhere. Is Temu doing an undetected root/jailbreak, then installing custom drivers for the fingerprint sensor to change how it works?
And this is just one claim. It’s just full of bullshit. To do everything listed there it would have to do multiple major exploits that are on state-actor level and wouldn’t be wasted on such trivial purpose. Because now that’s it’s “revealed”, Google and Apple would patch them immediately.
But there is nothing to patch, because most of the claims here are just bullshit, with no technical proof whatsoever.
Yeah, I don’t like Temu, and I’m sure the app is a privacy nightmare, but these claims don’t seem right. If it’s true, I’d like to see someone else verify it.
The article links to this as technical proof https://grizzlyreports.com/we-believe-pdd-is-a-dying-fraudulent-company-and-its-shopping-app-temu-is-cleverly-hidden-spyware-that-poses-an-urgent-security-threat-to-u-s-national-interests/
There’s analysis of decompiled source code.
The analysis shows it’s spyware, which I don’t question. But it’s spyware in the bounds of Android security, doesn’t hack anything, doesn’t have access to anything it shouldn’t, and uses normal Android permissions that you have to grant for it to have access to the data.
For example the article mentions it’s making screenshots, but doesn’t mention that it’s only screenshots of itself. It can never see your other apps or access any of your data outside of it that you didn’t give it permission to access.
Don’t get me wrong, it’s very bad and seems to siphon off any data it can get it’s hands on. But it doesn’t bypass any security, and many claims in the article are sensational and don’t appear in the Grizzly report.
That is not entirely correct. The reported found the app using permissions that are not covered by the manifest. It also found the app being capable to execute arbitrary code send by temu. So it cannot be clearly answered if the app can utilize these permissions or not. Obviously they would not ship such an exploit with the app directly.
The reported found the app using permissions that are not covered by the manifest.
It didn’t found them using them, it’s an important distinction. It found code referring to permissions that are not covered by the Manifest file. If that code was ran, the app would crash, because Android won’t let an app request and use a permission not in the Manifest file. The Manifest file is not an informational overview, it’s the mechanism through which apps can declare permissions that they want Android to allow them to request. If it’s not in the Manifest, then it’s not possible to use. It’s not unusual to have a bunch of libraries in an app that have functionality you don’t use, and so don’t declare the required permissions in the Manifest, because you don’t use them.
It also found the app being capable to execute arbitrary code send by temu.
Yeah, which is shady, but again, there is nothing to indicate that code can go around any security and do any of the sensational things the article claims.
The Grizzly reports shows how the app tricks you into granting permissions that it shouldn’t need, very shady stuff. But it also shows they don’t have a magical way of going around the permissions. The user has to actually grant them.
Wouldn’t the phone have to have your fingerprint stored in order to compare it to the one scanned?
Yes, the phone does, but that data is protected in the hardware and never sent to the software, the hardware basically just sends ok / not ok. It’s not impossible to hack in theory, nothing is, but it would be a very major security exploit in itself that would deserve a bunch of articles on it’s own. And would likely be device specific vulnerability, not something an app just does wherever installed.
Pretty sure this is not true. That’s how apple’s fingerprint scanners work. On android the fingerprint data is stored either in the tpm or a part of the storage encrypted by it.
Yeah, so the app never sees it. What are you disagreeing with?
I just corrected that, can’t I without disagreeing?
I mean that I don’t know what part of my comment is “not true”. I welcome corrections, I just don’t see what is being corrected here.
It doesn’t send a yes/no signal it sends the fingerprint to be compared to the stored one
All I want to know is what do these Temu people think my life is like?
I mean, you’re obviously a sexy military mechanic woman, who goes into battle with fantasy battle armor and goes fishing as a hobby! Duh.
Are you a busty outdoorswoman?
Comments here: “Yeah right, I’ll believe it when they explain how.”
Article: literally has a section explaining how
Edit:
Replies: “Yeah, but that’s just a summary. I’ll believe it when they explain in full detail.”
Article: literally has a link to the detailed explanation
The claim is they completely bypass all Android and iOS security is pretty unbelievable.
If so then the real discussion is how these zero day exploits are just sitting around.
EDIT: It seems the focus is on Android but all the information is nonsensical, like AI generated buzzword bingo.
That source looks better indeed.
Ars quotes nonsense like “bypasses the security” and “exploit the user”.
Those terms have meaning and they aren’t applicable here.
At the end though they do say things like
is able to hack your phone from the moment you install the app
Without any credible evidence.
The irony
First, you use Lemmy, that’s great. But pls use a client without ads…
You can pay just a few dollars to remove the ads from Boost.
Bro why using Lemmy if it’s for using proprietary client? Voyager, Jerboa, you have others choice…
Ask the 100,000 people that downloaded Boost, not me.
Probably people who have been using Boost for Reddit before and now want the same experience but for Lemmy
That’s what you get for using a proprietary Lemmy app. Switch to Thunder, it doesn’t have ads, it’s open source and in my opinion has the best UI out of all Lemmy apps. Also support the development and join their community: [email protected]
Jerboa here but same
I tried using Jerboa and found it to be incredibly buggy and poorly designed. Not sure what’s going on there, considering that it’s the official mobile app made by the Lemmy devs
Has worked mostly fine for me, YMMV
Shocked i tell you. I am shocked.
No way an app would collect data it doesnt need. Preposterous.
Next thing you’ll tell me is that tiktok is doing the same thing!
What about Meta and Google?
Them too, but lukewarm by comparison.
Erm, WhatsApp would suggest otherwise.
WhatsApp was the vector for zero click access to a target’s phone from Israel’s weapons grade hacking Pegasus toolkit. They would send a video call, typically in the middle of the night, and with no input from the used they’d get full access. My personal belief is that they used functionality WhatsApp itself uses to access user data.
There was also an encrypted phone called ANOM, which had this trick calculator app with a hidden encrypted messager. “Made for criminals, by criminals”. Except, when the guy started his business he got investment from the FBI and Australian Federal Police to pay for the servers and some of the phones themselves. Basically every time it sent an encrypted message it sent a separate encrypted message to the ANOM servers. It’s entirely possible (perhaps even likely) that WhatsApp would do this also.
As for Google, they’re truly insidious. Lots of banks now require you to connect to Google captcha servers - they don’t give you the pictures, it’s just the back end, basically the tracking parts. Then there’s the controversy about them collecting location data when users have said no. They absolutely do collect data they shouldn’t.
At what point does this all just become sinophobia?
Probably when the software isn’t malware.
But in this case it is.
Also fuck their landfillware Chinesium “products”.
That’s also most of what’s on Amazon these days.
Amazon is just faster shipped temu garbage
Every person I’ve heard hate on temu shops on amazon, too. It’s pretty ironic.
If it’s $5 and some random assortments of letters for a brand name you might as well just light your money on fire whether you order from temu or amazon or Walmart for that matter
I mean, some things are just fine when they are the cheapest?
I can’t believe anyone would buy from Temu. I knew they were Chinese knockoff bullshit the second I saw their first obnoxious ad.
I can’t believe people pay full price on cheap stuff. The only reasonable thing to do is pay cheap on cheap stuff. And the delivery times are unbeatable .
