Search results for: Temu

Following in the footsteps of almost two dozen attorneys general in other states, Kentucky Attorney General Russell Coleman filed a lawsuit on July 17, 2025, against Chinese online shopping platform Temu, alleging that it unlawfully collects Kentuckians’ data, violating their privacy, and counterfeiting “some of Kentucky’s most iconic brands.”

The complaint alleges that Temu:

  • Illegally collects users’ data without their knowledge and consent;
  • Allows unfettered access of that data to the Chinese Communist government;
  • Steals the intellectual property of U.S.-owned companies, including some of Kentucky’s most iconic brands including the University of Kentucky, University of Louisville, Buffalo Trace Distillery and Churchill Downs; and
  • Uses forced labor from Chinese ethnic minorities in clear violation of U.S. trade policies.

According to the Attorney General’s press release, Temu in 2023 became “the most-downloaded mobile app in the U.S.” The lawsuit alleges that Temu is owned by a Chinese holding company, PDD Holdings, which offered the app Pinduoduo, which has been banned from U.S. based app stores “for being malware. The Temu app shares a significant amount of its code with the original Pinduoduo app and has a documented relationship with the Chinese Communist Party.”

The Attorney General alleges that Temu “can infect Kentuckians’ devices with malware, steal their personal data and send it directly to the Chinese government. At the same time, they’re eroding trust in some of Kentucky’s most iconic brands, which could lead to job losses and hardship.”

Similar to the state lawsuits against TikTok, we anticipate that more states will focus their consumer protection regulatory eyes on Temu and its collection and use of consumers’ data in the coming months. For more information on Tik Tok’s lawsuits, refer to our previous blogs. I

n the meantime, consumers may wish to consider the allegations set forth in Attorney General Coleman’s complaint before downloading Temu, which raises similar concerns as TikTok.

We have repeatedly warned our readers about the risks associated with TikTok. We are reminding our readers that the popular Temu app raises the same concerns.

The risks have prompted almost two dozen attorneys general to file lawsuits against Temu, alleging that it is “dangerous malware” that secretly monetizes user data in an unauthorized manner.

Arkansas Attorney General Tim Griffin filed one of the first lawsuits against Temu on June 25, 2024, alleging that the app:

[I]s purposefully designed to gain unrestricted access to a user’s phone operating system, including, but not limited to, a user’s camera, specific location, contacts, text messages, documents, and other applications. Temu is designed to make this expansive access undetected, even by sophisticated users. Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place. Even users without the Temu app are subject to Temu’s gross overreach if any of their information is on the phone of a Temu user. Temu monetizes this unauthorized collection of data by selling it to third parties, profiting at the direct expense of Arkansans’ privacy rights.

The lawsuit claims that Temu was “the most downloaded app in the United States” in 2023, “with users spending almost twice the amount of time on its platform than on rival Amazon.” It then provides several concerns and risks associated with downloading Temu, including:

  • Apple suspending Temu from the App Store “for misrepresentations Temu made regarding the types of data Temu can access or collect from users” including how it collects and uses the data.
  • Google suspending the Pinduoduo app (another app designed by the Temu app’s owner) from its Google Play app store in March 2023 because it contained malware.
  • Security researchers concluding that the Temu app is purposefully and intentionally loaded with tools to execute virulent and dangerous malware and spyware activities on user devices that have downloaded and installed the TEMU app.
  • Temu collecting a shocking amount of sensitive user data beyond what is necessary for an online shopping app. Some examples include users’ granular location using the Global Positioning System and even biometric information such as users’ fingerprints.
  • Temu having “a complete arsenal of tools to exfiltrate virtually all the private data on a user’s device and perform nearly any malign action upon command trigger from a remote server gaining access-without permission or even notice-to ‘literally everything on [a user’s device].’”
  • The Temu app’s code, purposely designed to evade front-end security review and change once it has been downloaded to a user’s phone.
  • Great efforts taken to intentionally hide the malicious intent and intrusiveness of the software.

If these facts are not enough to deter you from downloading or removing the app from your phone, here is another chilling article to review, one of many others just like it. The bottom line is to understand the risks before you download or maintain the Temu app on your device. Take a look at the Arkansas complaint against Temu and the most recent one this week filed by the Attorney General of Kentucky to dig deeper into the facts behind the app.

Researchers at Arizona State University and Citizen Lab have discovered that three families of Android VPN applications, used by millions of people worldwide, are related and owned by companies or individuals located in mainland China or Hong Kong with ties to the People’s Republic of China.

The researchers analyzed numerous VPN apps and the number of Google Play Store downloads, including the Java code and security flaws of each app. From their research, they identified three families of VPN providers and the number of downloads. The apps in the first group contained identical security flaws, including that they:

  • Collect location-related data (even though their privacy policies say they don’t);
  • Use weak/deprecated encryption; and
  • Contain hard-coded Shadowsocks passwords, which if extracted, may allow attackers to decrypt user traffic. These hard-coded credentials work across different apps and servers, proving that these providers use the same backend infrastructure.

They found a single company hosts all of the VPN servers in the second group, and that the VPN apps in the third family “are susceptible to connection interference attacks using the client-side blind in/on-path attacks.”

Significantly, the researchers found that “the providers appear to be owned and operated by a Chinese company (i.e., Qihoo 360) and have gone to great lengths to hide this fact from their 700+ million combined user bases.”

The Tech Transparency Project (TTP) provided an in-depth analysis of Qihoo 360 as a national security threat in its article “Apple Offers Apps With Ties to Chinese Military,” that is well worth the read.

According to the article, “[m]illions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.” They discovered that “one in five of the top 100 free virtual private networks in the U.S. App Store during 2024 were surreptitiously owned by Chinese companies, which are obliged to hand over their users’ browsing data to the Chinese government under the country’s national security laws. Several of the apps traced back to Qihoo 360, a firm declared by the Defense Department to be a ‘Chinese Military Company.’”

They further found that “one Chinese VPN has been advertised on Facebook and Instagram to teens as young as 13, and some have targeted ads at Americans looking to keep using TikTok, another Chinese app threatened with a U.S. ban.”

While the researchers from Arizona State University and Citizen Lab did an in-depth analysis of the apps owned by Qihoo 360 (which found that the apps were downloaded over 70 million times), TTP provides more information about Qihoo 360 and its national security risk. According to TTP, Qihoo 360 was placed on the Commerce Department’s Entity List. It was sanctioned in June 2020 as it “takes part in the procurement of commodities and technologies for military end-use in China.” It was also “designated by the U.S. Department of Defense as a ‘Chinese military company’ operating in the U.S.”

Similar to the concerns raised by TikTok and Temu, the free VPN services provided by Qihoo contain risks that users should consider. Research your VPN provider to ensure that it does not have ties to the Chinese Communist government.