Investigative Review of PDD Holdings

SECTION 1 of 14: Corporate Obfuscation: PDD Holdings’ Strategic Relocation to Ireland In May 2023, a quiet significant alteration appeared in the regulatory filings of PDD Holdings Inc. With a few keystrokes, the e-commerce giant shifted its “principal executive offices” from Shanghai, China, to Dublin, Ireland. This modification, buried in a Form 20-F filed with the United States Securities and Exchange Commission (SEC), was not accompanied by a grand opening of a sprawling Irish campus or a mass migration of executives to the banks of the Liffey. Instead, it functioned as a calculated maneuver in corporate obfuscation, designed to shield the company’s expanding global asset, Temu, from the geopolitical crosshairs that had already snagged competitors like ByteDance’s TikTok. The relocation to Dublin represents a classic “nameplate” headquarters strategy. While the SEC documents legally anchor PDD Holdings in Ireland, the operational of the company remains firmly rooted in the People’s Republic of China. Investigations into the company’s physical footprint in Dublin reveal a clear contrast to its massive presence in Shanghai. The Irish office serves primarily as a legal outpost for registering overseas business, specifically for Temu, rather than a command center for global strategy. This raises immediate questions about the authenticity of the move and suggests a deliberate attempt to obscure the company’s Chinese origins from Western regulators and wary consumers. This corporate shell game became clear almost immediately after the filing. While PDD Holdings presented itself to Wall Street as an Ireland-headquartered multinational, its domestic messaging told a different story. When news of the Dublin move reached Chinese social media, Pinduoduo—the company’s domestic arm—moved quickly to reassure its local base. Spokespeople vehemently denied that the headquarters had moved, stating to Chinese press that the company was born in Shanghai and would always remain there. This dual narrative is a defining characteristic of PDD Holdings’ current strategy: project an image of a benign, stateless global entity to the West while maintaining strict allegiance and operational integration within China to satisfy Beijing. The timing of this relocation was far from coincidental. By early 2023, the United States government had intensified its scrutiny of Chinese-owned technology firms, citing national security risks and data privacy concerns. The looming threat of a TikTok ban and the aggressive posturing of the U. S.-China Economic and Security Review Commission created a hostile environment for any app with a direct pipeline to Beijing. By re-domiciling to Ireland, a European Union member state with a favorable 12. 5% corporate tax rate, PDD Holdings attempted to wash its corporate passport. The goal was to legally distance Temu from the stigma of being a “Chinese app,” so complicating any chance regulatory enforcement actions by U. S. authorities who might view an Irish company with more leniency than a Chinese one. This strategy of obfuscation extends beyond the parent company’s registration. Temu, the consumer-facing storefront that has inundated Western markets with cut-rate goods, has aggressively scrubbed

The March 2023 Suspension: A Corporate Watershed

On March 21, 2023, Google took the rare and decisive step of suspending the Pinduoduo application from the Google Play Store, citing the discovery of malware in versions of the software. This was not a routine policy violation or a minor compliance oversight. It was a response to what security researchers at Lookout and Kaspersky later identified as one of the most sophisticated app-based attacks in history. The suspension marked the time a major mainstream e-commerce application, boasting nearly 800 million active users, was flagged for actively exploiting zero-day vulnerabilities to compromise user devices.

While PDD Holdings attempted to frame the removal as a “generic” compliance problem, technical analysis revealed a calculated, malicious architecture. The application did not request excessive permissions; it bypassed the user’s consent entirely. By leveraging specific vulnerabilities in the Android framework, the app executed a privilege escalation attack, granting itself system-level access that is reserved for the operating system itself. This allowed Pinduoduo to operate outside the sandboxed environment that restricts standard applications, turning millions of consumer devices into compromised endpoints under PDD’s control.

Technical Anatomy of the Exploit: CVE-2023-20963

The core of the Pinduoduo malware engine relied on the exploitation of CVE-2023-20963, a serious vulnerability in the Android Framework. This flaw allowed the application to escalate privileges without user interaction. Security firm Lookout confirmed that Pinduoduo versions were exploiting this vulnerability in the wild before Google had even released a public patch, classifying the attack as a zero-day exploit. This timing demonstrates that PDD Holdings did not stumble upon a security loop; they likely employed a dedicated team to identify and weaponize undocumented vulnerabilities.

Once system privileges were secured, the app used code loading (DCL) to fetch and execute malicious DEX (Dalvik Executable) files from remote servers. This technique allowed PDD to push malicious updates to devices without going through the app store review process. The malware’s capabilities were extensive and invasive: it could read private notifications, access files from other applications, and modify system settings. Perhaps most disturbingly, the malware included a self-defense method that prevented users from uninstalling the app. When a user attempted to remove Pinduoduo, the app would crash the system settings or silently block the uninstallation process, ensuring its persistence on the device.

The “Dark Team” and the Temu Connection

The sophistication of the Pinduoduo exploit suggests a high level of organizational backing. Investigations by CNN and other outlets revealed the existence of a specialized internal unit at PDD Holdings, comprised of approximately 100 engineers and product managers. This team was reportedly tasked with hunting for vulnerabilities in Android systems and developing exploits to weaponize them for commercial gain. Their objective was not security research, the aggressive acquisition of user data and the suppression of competitor apps.

Following the public exposure and Google’s subsequent ban, PDD Holdings reportedly disbanded this team in early March 2023 to scrub evidence of the operation. yet, the personnel did not. Reports indicate that the majority of these engineers were transferred directly to PDD’s new international subsidiary: Temu. This transfer of human capital creates a direct lineage between the malware architects of Pinduoduo and the technical foundation of the Temu application. The engineers who built the unremovable, spying infrastructure for the Chinese market are the same minds behind the code running on millions of Western devices.

Corporate Denial Versus Technical Reality

PDD Holdings’ official response to the suspension was a study in deflection. The company issued statements rejecting the “speculation and accusation” that its app was malicious, characterizing Google’s action as a non-conclusive policy enforcement. They further attempted to dilute the severity of the incident by claiming that “several other apps” were suspended simultaneously, a whataboutism tactic designed to normalize their specific violation. This narrative crumbled under independent scrutiny.

Kaspersky researchers analyzed previous versions of the app distributed through Chinese third-party stores and confirmed the presence of the backdoor code. They found that the app was designed to spy on competitors by monitoring user activity on other shopping platforms, a clear violation of anti-competitive laws and basic privacy standards. The disconnect between PDD’s public denials and the forensic evidence establishes a pattern of corporate dishonesty. It suggests that the company views data privacy not as a legal obligation, as an obstacle to be circumvented through engineering. This precedent is serious when evaluating the risks posed by Temu, which operates under the same corporate umbrella and use the same engineering resources.

Grizzly Research Findings: Allegations of ‘Cleverly Hidden Spyware’

On September 7, 2023, Grizzly Research released a forensic report that shattered the perception of Temu as a benign discount retailer. Titled *”We believe PDD is a Dying Fraudulent Company and its Shopping App TEMU is Cleverly Hidden Spyware,”* the document presented a technical dissection of the application’s code. The firm’s analysts concluded that the application functions less like an e-commerce platform and more like a sophisticated data extraction tool. Grizzly Research labeled the software a serious security threat to Western markets, alleging that PDD Holdings aggressively monetizes stolen user data to offset the massive financial losses incurred by its subsidized pricing model. The core of Grizzly’s technical accusation centers on the presence of compilation capabilities within the Temu application. Security analysts identified code segments that allow the app to download, compile, and execute new software binaries after installation. This method bypasses the initial security reviews conducted by the Google Play Store and Apple App Store. While the version submitted for store approval may appear clean, the installed application can alter its own behavior on the user’s device. Grizzly Research described this as a “bait and switch” tactic, where the benign outer shell hides a method capable of deploying malicious payloads at. Further examination of the source code revealed the use of hidden Android system APIs. The report identified 18 specific internal API calls that are restricted or banned for standard consumer applications. By comparison, competitors like TikTok and Shein use few to none of these specific restricted functions. These hidden calls allow the application to access parts of the operating system that should remain off-limits, such as reading file systems, accessing camera and microphone data without explicit active triggers, and modifying system settings. The analysts noted that these functions are wrapped in of encryption and obfuscation, designed specifically to evade automated malware detection systems. The investigation also drew a direct line between Temu and its sister application, Pinduoduo, which Google suspended in early 2023 due to the presence of malware. Grizzly Research reported that PDD Holdings transferred a team of approximately 100 engineers and product managers from the Pinduoduo division to develop Temu. The code analysis suggests that these engineers repurposed the same malicious software architecture used in Pinduoduo, stripping away only the most obvious exploits to pass initial scrutiny while retaining the core surveillance capabilities. The report alleges that the “bad parts” were not removed hidden more, using “shifting integer signals libraries” to mask the app’s true intent. Data exfiltration capabilities identified in the report are extensive. The application allegedly requests permissions to access biometric data, including fingerprints and voiceprints, as well as external storage, contacts, and chat logs. Of particular concern is the application’s ability to check if a device has “root” access. If the software detects a rooted device, it can theoretically bypass the Android sandbox entirely, granting itself read and write privileges over every file on the phone. This level of access allows for the silent extraction of user data, which is then encrypted and transmitted to servers located in China. Grizzly Research also attacked PDD Holdings’ business fundamentals to explain the need of this data theft. The firm estimated that Temu loses approximately $30 per order due to high shipping costs and marketing spend. To sustain these losses, the report that PDD’s true revenue stream is not the sale of cheap goods, the sale of the detailed user data it harvests. By building a database of Western consumer habits, biometrics, and device fingerprints, PDD allegedly creates a product far more valuable than the $5 items listed on its marketplace. PDD Holdings responded to the report with a categorical denial. A spokesperson for the company stated that the report contained “misinformation” and was driven by the financial incentives of a short-seller looking to profit from a stock price decline. The company insisted that its data practices adhere to industry standards and that it prioritizes user privacy. Yet, the technical specificity of the Grizzly report—citing exact lines of code and function calls—provided a roadmap for subsequent class-action lawsuits and government inquiries in Arkansas and Arizona, where state attorneys general the findings as the basis for legal action against the company.

Code Loading: The Bait-and-Switch method

The central pillar of the security allegations against Temu rests on a method known as Code Loading (DCL). This technique represents a fundamental subversion of the safety established by major mobile application marketplaces. In standard software distribution, an application undergoes a rigorous static analysis by Apple or Google before it reaches the user. Reviewers scan the code for malicious patterns, known vulnerabilities, and unauthorized permission requests. Once approved, the code is theoretically “frozen” until the update. Temu, yet, stands accused of deploying a “bait-and-switch” architecture that renders this initial review meaningless. Forensic analyses, most notably by Grizzly Research and substantiated by filings from the Arkansas and Arizona Attorneys General, indicate that the Temu application functions as a shell. Upon installation, the app connects to remote Command and Control (C2) servers operated by PDD Holdings. From these servers, it downloads new executable code chunks, frequently disguised as innocent data files or proprietary formats like `. lego` files, which are then compiled and executed on the device in real-time. This capability allows PDD Holdings to fundamentally alter the application’s behavior *after* it has passed security checks and resides on the user’s device.

Technical Evasion of Static Analysis

The technical implementation of this evasion is sophisticated. On the Android operating system, the application reportedly uses system APIs such as `dalvik. system. DexClassLoader`. This function allows an application to load classes from a `. jar` or `. apk` file containing a `classes. dex` entry. While legitimate developers use this for hot-patching bugs, security researchers assert that Temu uses it to inject substantial new functionalities that were never present in the original submission. By keeping the malicious or intrusive code off the device during the App Store review process, Temu presents a benign face to automated scanners. The “payload” is only delivered once the app detects it is running on a real user’s device, rather than a test environment. This behavior mirrors the tactics of advanced persistent threat (APT) actors rather than legitimate e-commerce vendors. The Swiss National Test Center for Cybersecurity (NTC) confirmed the presence of this loading capability in their technical analysis, noting that while they did not observe active data theft during their limited testing window, the *method* for it was fully operational. The existence of the gun is proven, even if the trigger pull was not observed in that specific instance.

The “Functionally Malware” Allegation

The of this architecture are severe. In a lawsuit filed in June 2024, Arkansas Attorney General Tim Griffin described Temu not as a shopping app, as “functionally malware.” The complaint alleges that the app is “purposefully designed to gain unrestricted access to a user’s phone operating system.” Because the code is loaded, it can theoretically request permissions or exploit system vulnerabilities (zero-day exploits) that the user never explicitly authorized. Grizzly Research’s report went further, characterizing the application as “the most dangerous malware/spyware package currently in widespread circulation.” Their analysts found that the code imported from PDD’s servers could enable the application to record audio, access the camera, read text messages, and exfiltrate file system data without triggering standard operating system alerts. This aligns with the behavior observed in Pinduoduo, Temu’s sister app, which was removed from the Google Play Store in 2023 for exploiting a zero-day vulnerability (CVE-2023-20963) to escalate privileges and prevent uninstallation.

Obfuscation and Persistence

To protect this method from discovery, the application employs aggressive obfuscation techniques. The communication between the app and the C2 servers is heavily encrypted, preventing security researchers from easily inspecting the payload being delivered. also, the Arizona Attorney General’s lawsuit claims that the app contains “large swaths” of code identical to that found in the banned Pinduoduo app, suggesting a direct transfer of malware technology between the two entities. This capability creates a scenario of persistent surveillance risk. Even if a user grants minimal permissions upon installation, the app can later download code that exploits a system weakness to bypass those restrictions. The user remains unaware of the change, as no app update notification appears. The software updates itself silently, transforming from a passive catalog of cheap goods into an active surveillance tool capable of harvesting biometric data, location history, and private communications.

Comparison of Standard App Behavior vs. Temu’s Alleged DCL method

Feature	Standard E-Commerce App	Temu (Alleged Behavior)
Code Source	All code resides in the installation package (APK/IPA).	Code is fetched remotely from C2 servers post-install.
Update Process	Updates occur via App Store/Play Store with user consent.	Updates occur silently in the background without notification.
Security Review	Code is scanned by Apple/Google before release.	New code bypasses store scanners entirely.
Permission Scope	Limited to permissions granted at install.	Can escalate privileges via downloaded exploits.
Transparency	Codebase is static and analyzable.	Codebase is transient, encrypted, and obfuscated.

SECTION 5 of 14: C++ Code Compilation: method for Post-Installation Behavior Modification The structural integrity of the Temu application relies on a sophisticated engineering strategy that prioritizes obfuscation over transparency. While the majority of Android applications are written in Java or Kotlin—languages that are relatively easy for security researchers to decompile and inspect—Temu breaks from standard industry practices by burying its most sensitive logic within compiled C++ code. This architectural decision creates a “black box” within the application, rendering standard static analysis tools blind to the software’s true capabilities. Security analysts at Grizzly Research identified this anomaly as a primary vector for malware distribution. Their technical audit revealed that Temu uses the Java Native Interface (JNI) to execute compiled C++ binaries for tasks that require no such complexity. In legitimate software development, C++ is reserved for high-performance requirements, such as graphics rendering in video games or complex mathematical computations. Temu, yet, employs these native libraries for user interface logic and network data transmission. This gap suggests that the primary function of the C++ implementation is not performance optimization, the concealment of code execution route from app store review bots and external security auditors. The danger of this method lies in its ability to post-installation behavior modification. When a user downloads Temu from the Google Play Store or Apple App Store, the binary package appears benign. It passes initial security screenings because the malicious code is not present in the installer itself. Instead, the application contains a dormant capability—specifically, a function identified by researchers involving `runtime. exec()`—that allows the app to compile and execute new code directly on the user’s device. This “self-compiling” feature enables PDD Holdings to alter the application’s behavior radically after it has established a foothold on the host system. Once installed, the application can contact remote servers to download configuration files or binary payloads. The C++ logic then interprets or compiles these payloads, rewriting the app’s internal rules without requiring a formal update through the app store. This technique, frequently referred to as “hot patching” or ” loading,” allows the operator to introduce aggressive data collection that would have triggered an immediate rejection during the initial review process. The app that the user consents to install is fundamentally different from the app that eventually operates on their device. This engineering prowess is not accidental. Reports indicate that PDD Holdings transferred a specific cadre of engineers to the Temu project following the disbandment of the team responsible for the Pinduoduo malware scandal. In 2023, Google suspended Pinduoduo after discovering zero-day exploits in the app that allowed it to escalate privileges and seize control of user devices. Following this suspension, sources confirm that PDD Holdings moved approximately 100 of these engineers to the Temu division. This transfer of human capital suggests a deliberate continuity in strategy: the same minds that engineered the Pinduoduo exploits were tasked with building Temu’s infrastructure, applying the same obfuscation techniques to a global audience. The technical footprint of this strategy is visible in the presence of specific encryption and “shifting integer signals” libraries found within the Temu APK (Android Package Kit). These components serve no discernible e-commerce purpose. Their function is to scramble the data flow between the app and PDD’s servers, preventing researchers from observing exactly what information is being exfiltrated. When security firms attempt to attach debuggers to the running application—a standard method for analyzing software behavior—the C++ code detects the intrusion and alters its operation, frequently crashing the app or feeding false data to the analyst. This anti-analysis capability is a hallmark of malware, designed specifically to frustrate reverse-engineering efforts. also, the use of native C++ code complicates the permission model of the Android operating system. While Java-based requests for camera or microphone access trigger visible system prompts, native code can sometimes exploit lower-level system vulnerabilities to bypass these checks. By executing commands at the binary level, the application can chance access file systems and peripheral sensors without alerting the user or the operating system’s security manager. This creates a scenario where the user’s perceived privacy settings are overridden by the application’s internal logic. The of this architecture are severe. A user may deny the app permission to access contacts or location data via the standard Android interface, believing their privacy is secure. Yet, the compiled C++ backend, receiving instructions from a remote server, can exploit unpatched vulnerabilities (zero-days) to bypass these restrictions. The Grizzly Research report highlights that this capability transforms Temu from a simple shopping platform into a potent surveillance tool, capable of exfiltrating data ranging from biometric inputs to file system metadata. This method of “post-installation compilation” represents a significant evolution in mobile malware. Traditional malicious apps are frequently caught because their payload is static and visible. Temu’s method is and ephemeral. The malicious behavior can be toggled on or off based on the user’s location, the device type, or the specific scrutiny the app is under at any given moment. If a security researcher in the United States attempts to analyze the traffic, the server can instruct the app to behave normally. Simultaneously, a regular user in a different region may be subjected to aggressive data harvesting. This selective activation makes definitive proof of wrongdoing difficult to capture, as the evidence exists only in the temporary memory of the device during the attack window. The integration of these method points to a calculated effort by PDD Holdings to maintain plausible deniability while securing unrestricted access to user devices. The complexity of the C++ obfuscation ensures that only the most well-resourced security firms can penetrate the app’s defenses, leaving the average consumer and even standard antivirus software defenseless against the intrusion. The app does not trade; it functions as a, remotely controlled terminal that operates outside the boundaries of standard application sandboxing.

The analysis of Temu’s permission requests reveals a digital architecture that mirrors aggressive surveillance software rather than a benign e-commerce platform. While standard shopping applications require a limited set of authorizations— restricted to network access and payment processing—Temu’s manifest demands a array of 24 permissions. of these requests grant deep system access that is fundamentally disconnected from the user’s shopping experience, creating a vulnerability vector that security researchers is designed for data exfiltration and persistent monitoring.

The “God Mode” Permission: SYSTEM_ALERT_WINDOW

Among the most worrying discoveries in Temu’s code is the request for `SYSTEM_ALERT_WINDOW`. In the Android development ecosystem, this permission is frequently referred to as “drawing over other apps.” It allows an application to overlay content on top of any other active program, including banking apps, secure messaging platforms, and system settings. For a legitimate utility app, this function might power a chat bubble or a screen dimmer. For an e-commerce retailer, it serves no functional purpose. yet, in the context of malware, `SYSTEM_ALERT_WINDOW` is a serious tool for credential harvesting. It enables “overlay attacks,” where a malicious actor projects a fake login screen over a legitimate banking application. When the user enters their credentials, they are not logging into their bank, rather handing their password directly to the overlaying app. Grizzly Research and other forensic analysts have identified this permission as a primary indicator of Temu’s chance to intercept sensitive user interactions outside its own sandbox.

Surveillance Suite: Microphone and Camera Access

Temu’s insistence on `RECORD_AUDIO` and `CAMERA` permissions is defended by the company as necessary for features like voice search and visual product matching. Yet, the implementation of these permissions raises serious red flags. Forensic analysis indicates that the code structures governing these functions do not strictly limit their activation to user-initiated actions. Unlike standard implementations where the camera is active only during the specific “take photo” intent, the permissions granted to Temu allow for the theoretical capture of audio and visual data at any time the app is running in the foreground or, through specific background processes, even when the phone appears idle. This capability turns a user’s device into a chance listening post. The accumulation of biometric data, voice prints and facial geometry, poses a permanent security risk. Unlike a compromised password, which can be changed, a user cannot alter their voice or face, making the theft of this data a catastrophic, irreversible privacy breach.

Digital Fingerprinting: Wi-Fi and Device State

The application’s hunger for data extends to the physical environment of the user. Temu requests `ACCESS_WIFI_STATE` and `ACCESS_FINE_LOCATION`. While location data is arguably useful for shipping logistics, the combination of these permissions allows for precise “digital fingerprinting.” By scanning the Service Set Identifier (SSID) and Basic Service Set Identifier (BSSID) of connected and nearby Wi-Fi networks, Temu can triangulate a user’s exact physical location even if the GPS is disabled. also, the app requests `READ_PHONE_STATE`, a permission that grants access to the device’s International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI). These unique hardware serial numbers are the gold standard for persistent tracking. Advertisers and data brokers prize this data because it allows them to track a specific device across factory resets and different user accounts. For PDD Holdings, this data creates a permanent dossier on every device the app touches, linking data points into a, unshakeable user profile.

Corporate Espionage: QUERY_ALL_PACKAGES and GET_TASKS

Perhaps the most brazen deviation from ethical coding standards is Temu’s use of `QUERY_ALL_PACKAGES` and the deprecated `GET_TASKS` (or `getRunningTasks`) methods. These permissions allow the application to scan the user’s device and list every other installed application. This capability serves a dual purpose: 1. **Competitor Intelligence:** PDD Holdings can monitor whether a user has installed rival apps like Amazon, Shein, or Walmart. They can analyze usage patterns to determine when a user switches between apps, providing invaluable competitive intelligence that allows them to undercut prices or target notifications at the exact moment a user is shopping elsewhere. 2. **Security Evasion:** By detecting the presence of security software, debuggers, or sandboxing environments, the app can alter its behavior. If it detects a forensic analysis tool, it can suppress its malicious code execution, appearing benign to researchers while continuing its aggressive data collection on consumer devices.

The “Undisclosed” Threat: Permissions

The “24 permissions” figure in manifest analyses is likely an undercount of the app’s true capabilities due to the use of Code Loading (DCL). As detailed in previous sections, DCL allows PDD Holdings to push new code to the device after installation. This means the app can theoretically exploit “zero-day” vulnerabilities to escalate its privileges without ever requesting permission from the user or the Google Play Store. The danger is not just what Temu asks for, what it takes. The app’s code contains

Section 7

Biometric Data Harvesting: Facial Recognition and Fingerprint Allegations

The most visceral and permanent threat posed by the Temu application is not the theft of credit card numbers, which can be canceled, the alleged harvesting of immutable biological identifiers. While financial data is transient, biometric data is forever. Recent class-action litigation and forensic cybersecurity analyses suggest that PDD Holdings has engineered Temu not as a marketplace, as a sophisticated apparatus for capturing the physical essence of its user base: facial geometry, voiceprints, and fingerprints.

The Illinois Front: Huq v. Temu and BIPA Violations

The legal epicenter of these allegations is the class-action lawsuit Huq v. Temu, alongside parallel filings in Illinois, a state with the world’s most biometric privacy laws. The Illinois Biometric Information Privacy Act (BIPA) prohibits companies from collecting, storing, or transmitting biometric identifiers without explicit, written consent. The lawsuits filed against PDD Holdings allege a flagrant disregard for these statutes. According to the complaints, Temu’s data collection practices bypass standard operating system safeguards to access “literally everything” on a user’s device. Attorneys representing the plaintiffs, citing independent technical experts, that the application requests permissions that have no logical nexus to e-commerce. Specifically, the app seeks access to the microphone and camera in ways that the surreptitious recording of voiceprints and facial scans. Unlike a standard “visual search” feature which processes images locally or temporarily, the allegations contend that Temu transmits this biometric telemetry to servers in China, where it contributes to a permanent digital dossier on American consumers. The Huq complaint specifically details how the application’s code is “purposefully and intentionally loaded” with functions to execute malware operations. These functions allegedly allow the app to override user privacy settings, granting PDD Holdings unauthorized access to the biometric hardware of the device, the fingerprint sensor and the facial recognition array.

Technical Feasibility: The Permission Trojan Horse

To understand the of these allegations, one must examine the technical permissions the Temu application demands. A standard e-commerce application requires network access and, perhaps, camera access for scanning credit cards or searching for products visually. Temu’s permission requests, yet, resemble those of a surveillance tool. Forensic analysis reveals that Temu requests access to the CAMERA and RECORD_AUDIO permissions. While PDD Holdings defends these as necessary for “visual search” and “voice search” features, the implementation raises serious red flags. Security researchers have identified that these permissions, once granted, can be exploited via Code Loading (DCL) to activate hardware in the background. The danger lies in the distinction between local authentication and remote collection. When a user logs into a banking app using a fingerprint, the operating system (iOS or Android) verifies the print against a locally stored hash; the app never sees the actual fingerprint data. The allegations against Temu suggest a bypass of this protocol. By injecting code post-installation, the application could theoretically intercept the raw input from these sensors or trick the user into providing biometric data under the guise of “identity verification” for gamified rewards, a core component of Temu’s user retention strategy.

The “Fraud Prevention” Smokescreen

PDD Holdings has consistently dismissed these claims, categorizing their data collection as standard industry practice for “fraud prevention” and “risk scoring.” In their updated privacy policies for 2024 and 2025, forced by regulatory pressure in jurisdictions like South Korea, Temu admits to collecting “device data” and “profile” information. They that biometric inputs are used solely to verify that a real human is conducting the transaction, preventing bot attacks on their flash sales. This defense crumbles under scrutiny. “Fraud prevention” does not require the permanent storage of facial geometry or voiceprints. Legitimate security use one-way encryption where the biometric data is never stored in a reversible format. The class-action suits allege that PDD Holdings fails to adhere to these standards, instead maintaining a repository of raw biometric inputs. If true, this creates a national security nightmare: a foreign entity possessing the facial and vocal signatures of millions of Western citizens, data that could be used to train deepfake algorithms or defeat biometric security on other sensitive platforms.

The Pinduoduo Precedent: A Pattern of Biometric Theft

The credibility of these allegations is by the proven history of Temu’s sister application, Pinduoduo. As detailed in previous sections, Pinduoduo was removed from the Google Play Store in 2023 after researchers found zero-day exploits that allowed the app to escalate privileges and access user data without consent. Analysis of the Pinduoduo malware revealed specific modules designed to harvest user photos and facial data. The code allowed the app to wake up the device, take screenshots, and access the gallery silently. Given that Temu was built by the same engineering teams, frequently relocated directly from Shanghai to PDD’s new offices to work on the “Project Team”, it is statistically and technically probable that the same biometric harvesting logic was ported into Temu’s codebase, chance obfuscated to evade initial detection by Western app stores.

The Permanence of the Loss

The of this specific vector of data theft are catastrophic. A user can change a compromised password. They can cancel a stolen credit card. They cannot change their fingerprints. They cannot alter the geometry of their face or the pitch and timbre of their voice. If PDD Holdings is found to have successfully exfiltrated this data to servers in China—servers subject to the National Intelligence Law which mandates cooperation with state intelligence services—then the biometric security of every affected Temu user is permanently compromised. The lawsuits currently winding their way through Illinois and New York courts represent the only barrier between PDD Holdings and the total biometric profiling of its user base. The evidence suggests that for the price of a cheap plastic trinket, users are unwittingly trading the very biological markers that define their identity.

The operational architecture of the Temu application extends far beyond the functional requirements of a digital marketplace. While standard e-commerce platforms require basic user data to process transactions and ship goods, PDD Holdings has engineered Temu to harvest deep-system telemetry that offers no tangible benefit to the consumer. This data collection focuses on immutable device identifiers and volatile system states, specifically Media Access Control (MAC) addresses, Wi-Fi network details, and active system logs. These elements, when aggregated, create a permanent, inescapable digital fingerprint for every device the application touches.

The Immutable Identifier: MAC Address Harvesting

A primary vector for this surveillance is the unauthorized collection of MAC addresses. A MAC address is a unique, hard-coded 12-character alphanumeric identifier assigned to a device’s network interface controller (NIC) at the point of manufacture. Unlike advertising IDs (GAID on Android or IDFA on iOS), which users can reset to sever the link between their device and their behavioral profile, a MAC address is permanent. It survives factory resets, app uninstallations, and operating system updates.

Security researchers, including teams at Grizzly Research, have identified method within Temu’s code designed to query and exfiltrate these identifiers. By capturing the MAC address, PDD Holdings bypasses the privacy safeguards introduced by Apple and Google, which explicitly restrict access to persistent hardware identifiers to prevent non-consensual tracking. When Temu acquires this data, it “locks” the user’s identity to that specific piece of hardware forever. If a user deletes the app and reinstalls it months later, or attempts to use a different account to avoid profiling, the server immediately recognizes the device via its MAC address, merging the new activity with the historical dossier.

Network Mapping: SSID and BSSID Collection

The application’s data harvesting extend to the network environment in which the device operates. Forensic analysis reveals that Temu queries the Service Set Identifier (SSID) and the Basic Service Set Identifier (BSSID) of the Wi-Fi networks the device connects to. The SSID is the human-readable name of the network (e. g., “Home_Wi-Fi”), while the BSSID is the MAC address of the wireless router itself.

This collection serves a dual purpose, neither of which relates to selling discount goods., the BSSID acts as a precise geolocation proxy. Companies like Google and Skyhook maintain massive databases mapping BSSIDs to physical coordinates. By harvesting the BSSID, Temu can pinpoint a user’s exact location, frequently within a few meters, even if the user has explicitly denied the application permission to access Global Positioning System (GPS) data. This allows PDD Holdings to track a user’s physical movements between home, work, and other frequent locations without triggering the operating system’s “location in use” indicators.

Second, the aggregation of SSIDs allows for social graphing. If multiple devices connect to the same BSSID (router), PDD Holdings can infer relationships between those users, identifying households, workplaces, and social circles. This network mapping creates a relational database of users, linking individuals who may not have interacted on the platform share a physical space.

System Logs and Process Enumeration

Perhaps the most intrusive aspect of Temu’s data collection is its access to system logs and the list of running processes. In the Android operating system, the ability to read “operating processes” allows an application to see every other program currently active on the device. Analysis indicates that Temu checks for the presence of specific packages, monitoring the user’s digital behavior outside the Temu app.

This capability enables competitive intelligence gathering of the highest order. By scanning the process list, Temu can determine if a user is running competitor applications like Amazon, Shein, or Walmart. It can detect banking applications, secure messaging tools, and even VPN software. This data provides PDD Holdings with a real-time view of the user’s app economy, allowing them to adjust pricing, push notifications, or incentives based on the user’s engagement with rival platforms.

also, the collection of system logs poses a severe security risk. System logs (such as Logcat on Android) frequently contain debug information, error messages, and crash dumps from other applications. Poorly coded apps frequently leak sensitive data, including authentication tokens, partial passwords, or personal information, into these logs. If Temu retains access to read these system-level files, it can chance harvest sensitive data generated by completely unrelated applications, turning the e-commerce app into a passive listening post for the entire device.

Violation of the Principle of Least Privilege

The cybersecurity principle of “least privilege” dictates that an entity should only have access to the specific data and resources necessary for its legitimate purpose. Temu’s collection of MAC addresses, BSSIDs, and process lists constitutes a flagrant violation of this principle. There is no technical justification for an online store to require the permanent hardware ID of a phone or the MAC address of a user’s home router to process a payment or display a catalog of products.

This behavior aligns with the patterns identified in the “Pinduoduo” malware incident, where PDD Holdings’ sister app was found to be using zero-day exploits to escalate privileges and prevent uninstallation. The structural similarities in data collection strategies suggest a unified corporate directive to prioritize data dominance over user privacy. The result is an application that functions less like a retailer and more like a surveillance tool, exploiting the trust of the consumer to build a detailed, immutable profile that no amount of privacy settings or opt-outs can erase.

The Black Box: Network Traffic Analysis and Double Encryption

Forensic analysis of the Temu application reveals a network architecture designed not for e-commerce efficiency, for opacity. While standard mobile applications rely on Transport Security (TLS) to protect user data during transit, PDD Holdings implements a secondary, proprietary encryption on top of standard. This non-standard configuration serves a specific purpose: it blinds security researchers and enterprise monitoring tools. When a standard Man-in-the-Middle (MitM) attack is attempted, a common technique used by security professionals to inspect app traffic for vulnerabilities, the payload remains unintelligible. The data is not secured; it is hermetically sealed against independent audit.

Grizzly Research and independent cybersecurity firms have documented this anomaly, noting that the application’s network behavior mirrors that of sophisticated malware rather than a retail storefront. Legitimate e-commerce platforms use standard RESTful APIs with JSON payloads, which are human-readable when properly decrypted for inspection. Temu, by contrast, frequently employs custom binary or packed data structures. This obfuscation ensures that even if the outer of TLS is stripped away using root certificates, the internal data remains a jumbled stream of bytes, concealing the exact nature of the information being exfiltrated from the user’s device.

Weaponized SSL Pinning and Certificate Validation

To further fortify this data tunnel, Temu employs aggressive SSL pinning techniques. In a standard security context, SSL pinning prevents attackers from intercepting traffic by hardcoding the server’s certificate into the app. PDD Holdings, yet, appears to use this method to prevent the user from knowing what the app is doing. Security analysts attempting to inspect Temu’s traffic report that the application contains code specifically designed to detect and terminate connections if it senses the presence of analysis tools like Frida or Objection. This anti-analysis logic is characteristic of spyware attempting to evade detection by antivirus sandboxes or manual review.

The Arizona Attorney General’s lawsuit against PDD Holdings explicitly cites these method, alleging that the app’s code is engineered to “conceal the fact that it is doing so” regarding data exfiltration. The application does not simply transmit data; it actively fights against observation. When the application detects a rooted device or a system proxy, tools frequently used by researchers to monitor data flow, it alters its behavior or ceases transmission, creating a “Heisenberg effect” where the act of observing the app changes its activity. This evasion suggests a deliberate intent to hide specific data pathways from Western regulators and security audits.

Destination: The Pinduoduo Backend Infrastructure

Traffic analysis confirms that even with PDD Holdings’ claims of localized operations, data pathways lead inevitably to infrastructure controlled by the parent company in China. Network requests from the Temu app route through servers that share IP ranges and architectural signatures with Pinduoduo, the app previously banned by Google for exploiting zero-day vulnerabilities. This shared infrastructure means that data collected from Western users traverses a digital pipeline subject to the People’s Republic of China’s National Intelligence Law, which mandates that Chinese companies assist in state intelligence work.

The volume of data transmitted also raises red flags. Packet capture analysis shows data bursts that are disproportionate to the user’s activity. A simple product search should generate minimal traffic. Yet, the app frequently initiates large, encrypted data uploads in the background, even when the user is not actively shopping. These “heartbeat” transmissions suggest the continuous synchronization of logs, device identifiers, and chance biometric hash data discussed in previous sections. The use of non-standard ports and IP addresses, rather than clear domain names, further complicates the tracking of these data packets, burying the exfiltration needle in a haystack of digital noise.

Bypassing Enterprise Security Controls

The of this proprietary encryption extend to corporate environments. Enterprise firewalls and Mobile Device Management (MDM) solutions rely on traffic inspection to block malicious activity. Because Temu encapsulates its traffic in a custom encrypted tunnel, it creates a blind spot within corporate networks. Data Loss Prevention (DLP) systems cannot scan the contents of Temu’s packets to see if sensitive corporate credentials or contacts are being siphoned. This renders the app a Trojan horse; once installed on a device connected to a corporate Wi-Fi network, it establishes a secure, unmonitored line of communication to PDD Holdings’ servers, bypassing standard perimeter defenses.

This architectural decision, to prioritize obfuscation over transparency, stands in direct contrast to industry standards like the Open Web Application Security Project (OWASP) guidelines. While encryption is necessary for privacy, the use of anti-tamper method and custom packing indicates a defensive posture against security researchers, not cybercriminals. The evidence suggests that the encryption is not there to keep hackers out, to keep the user’s gaze out, ensuring that the vast stream of personal and device data flows uninterrupted and unexamined to its final destination.

The ‘Data-Theft Business’ Model: Monetization of User Information

The economic structure of PDD Holdings and its subsidiary Temu presents a financial paradox that defies traditional retail logic. Analysis of the company’s pricing strategy reveals a mathematical impossibility: goods sold at prices so low they cannot cover the cost of manufacturing, let alone shipping and logistics. In 2024, industry analysts estimated that Temu lost approximately $30 on every order placed in the United States. With millions of orders processed daily, these losses accumulated to an estimated $8 billion to $9 billion annually. No legitimate retailer can sustain such massive negative margins without an alternative, high-value revenue stream. The evidence suggests that Temu does not primarily exist to sell discounted consumer goods. Instead, the application functions as a sophisticated data extraction engine, where the cheap merchandise serves as the bait to acquire the true asset: the user’s digital identity.

Legal authorities have begun to formally recognize this operational reality. In June 2024, Arkansas Attorney General Tim Griffin filed a lawsuit against PDD Holdings and WhaleCo Inc., explicitly labeling Temu a “data-theft business.” The complaint asserts that the platform is “functionally malware and spyware,” designed to strip-mine user devices for sensitive information. This characterization aligns with the findings of Grizzly Research, which described the app as “cleverly hidden spyware.” The core business model is not e-commerce; it is the monetization of unauthorized data collection. By selling goods at a loss, Temu purchases access to a user’s smartphone, securing a permanent surveillance node within the device.

method of Data Monetization

The monetization of this extracted data occurs through two primary channels: direct sale to third parties and the internal optimization of PDD Holdings’ advertising algorithms. While Temu’s privacy policy contains standard language regarding data protection, it also includes broad permissions that allow the sharing of user information with “affiliates” and “marketing partners.” These terms are legally elastic. In the context of PDD Holdings’ corporate structure, “affiliates” can encompass a vast network of entities, including those with ties to state-sponsored apparatuses in China. The Arkansas lawsuit alleges that Temu “monetizes this unauthorized collection of data by selling it to third parties,” a claim that transforms the user’s private life into a tradable commodity.

PDD Holdings’ financial reports provide further evidence of this data-centric revenue model. of the company’s income from “Online Marketing Services” rather than direct transaction fees. Merchants on the platform pay for visibility, and this visibility is powered by the granular data collected from users. The app’s ability to track activity across other applications, a capability exposed by forensic code analysis, allows PDD to build psychographic profiles of immense value. Advertisers pay a premium to target users based on their behavior outside the Temu app, a service that PDD can offer only because of its invasive data harvesting practices. The “loss” on a $5 pair of sneakers is recouped times over through the sale of the buyer’s behavioral data to the highest bidder.

Valuation of Biometric and Social Data

The specific types of data targeted by Temu indicate a valuation model that goes beyond simple consumer profiling. The application requests permissions for biometric data, including facial recognition and fingerprints, as well as access to contacts and local networks. In the illicit data market, biometric identifiers command a much higher price than credit card numbers or email addresses. A password can be changed; a fingerprint cannot. By harvesting this immutable identity data, PDD Holdings acquires an asset with infinite shelf life. The collection of contact lists also allows the company to map social graphs, identifying connections between users and non-users alike. This “shadow profiling” expands the company’s surveillance reach beyond its installed user base, creating a detailed map of social interactions that has significant intelligence value.

Estimated Value of User Data Types vs. Retail Loss

Data Type	Market Utility	Strategic Value
Purchase History	Targeted Advertising	Low (Standard Retail)
Device MAC Address	Persistent Tracking	Medium (Device Fingerprinting)
Social Graph (Contacts)	Network Mapping	High (Surveillance/Intel)
Biometrics (Face/Print)	Identity Verification	Very High (Immutable ID)
Cross-App Activity	Behavioral Profiling	Very High (Competitive Intel)

The aggressive acquisition of this high-value data explains the company’s willingness to absorb billions in retail losses. In the data economy, the cost of acquiring a user, even at $30 per head, is a bargain if the resulting data stream yields biometric identifiers and persistent surveillance capabilities. The “loss leader” strategy is a misnomer; the retail transaction is not the business. It is the entry fee PDD Holdings pays to install its probe on a target device. Once installed, the app’s code loading capabilities ensure that this probe can evolve, adding new data collection features as needed to maximize the yield from each infected device.

Regulatory Backlash and Future Risks

The exposure of this business model has triggered a wave of litigation and regulatory action. Beyond the Arkansas lawsuit, the Texas Attorney General filed suit in February 2026, describing Temu as “Chinese Communist spyware disguised as a shopping app.” These legal challenges strike at the heart of PDD’s revenue engine. If courts block the company’s ability to harvest and monetize data, the mathematical foundation of its “retail” business collapses. Without the subsidy provided by data sales, the prices of goods on Temu would necessarily rise to sustainable levels, destroying the platform’s primary competitive advantage. The company’s frantic efforts to obfuscate its code and hide its data exfiltration pathways suggest that its executives are acutely aware of this vulnerability. They are not protecting trade secrets; they are protecting the method of their data-theft operation.

The trajectory of PDD Holdings depends entirely on its ability to maintain this flow of illicit data. As scrutiny intensifies, the company faces a choice: abandon its lucrative data-theft model and face financial ruin, or double down on obfuscation and risk a total ban in Western markets. The evidence indicates they have chosen the latter route. The app’s code continues to exhibit malware-like behavior, and its data demands remain voracious. Consumers who believe they are getting a deal are, in reality, selling their digital souls for cheap plastic, funding a surveillance apparatus that views them not as customers, as raw material for extraction.

The Hu v. Whaleco Filing: Redefining E-Commerce as Espionage

The legal battle against PDD Holdings entered a combative new phase with the filing of *Hu v. Whaleco Inc.* (Case No. 1: 23-cv-06962) in the U. S. District Court for the Eastern District of New York. Lead plaintiff Eric Hu, representing a nationwide class of users, leveled accusations that fundamentally reclassified Temu from a shopping application to a sophisticated surveillance tool. The complaint, which aggregates technical findings from multiple cybersecurity firms, alleges that PDD Holdings intentionally engineered the app to violate the **Electronic Communications Privacy Act (ECPA)** and the **Computer Fraud and Abuse Act (CFAA)**. Unlike typical data breach litigation which frequently centers on negligence, the *Hu* lawsuit asserts active malice. The plaintiffs that Temu functions as “spyware” designed to intercept electronic communications without user consent. The core of this argument rests on the app’s use of an in-app browser. When a user clicks a link within Temu, the application does not open the standard system browser (like Chrome or Safari). Instead, it loads the page within its own internal webview. The lawsuit claims this method allows PDD Holdings to inject JavaScript code that monitors every keystroke, scroll, and tap, wiretapping the user’s interaction with third-party websites, including payment gateways and social media platforms.

Violations of Federal Wiretap Laws

The specific legal statutes in *Hu* and subsequent consolidated cases focus on the interception of oral, wire, and electronic communications. Plaintiffs contend that Temu’s data collection practices exceed the scope of a standard e-commerce transaction, constituting a violation of federal wiretap laws. The complaint details how the app allegedly records audio via the device’s microphone and captures visual data through the camera, frequently without a clear visual indicator to the user. Legal filings describe a “clandestine tracking activity” where the app collects: * **Biometric Data:** Facial geometry and fingerprints, ostensibly for payment verification allegedly stored for user profiling. * **Precise Location:** GPS data tracked even when the app runs in the background. * **System Logs:** MAC addresses and device IMEIs, which serve as permanent digital fingerprints that users cannot reset. The plaintiffs that PDD Holdings obscures these activities through “dark patterns”, user interface designs that trick consumers into granting invasive permissions. For instance, the app may request access to Bluetooth to “find local devices,” a permission that, once granted, allows the app to map the user’s home network and identify other connected smart devices.

Corroboration by State Attorneys General

The allegations in the *Hu* class action gained substantial weight when multiple State Attorneys General launched independent lawsuits against PDD Holdings, echoing the private litigation’s claims. In 2024 and 2025, the Attorneys General of Arkansas, Nebraska, Texas, and Arizona filed suits describing Temu as “functionally malware.” Arkansas Attorney General Tim Griffin was among the to explicitly label the platform a “data-theft business.” His filing argued that the app’s code contained functions specifically designed to evade detection by mobile operating systems, a behavior characteristic of malicious software, not a retail storefront. The Nebraska lawsuit, filed by Attorney General Mike Hilgers, expanded on this, accusing PDD Holdings of violating the **Deceptive Trade Practices Act**. Hilgers’ office presented evidence that the app could recompile its own code after installation, a technique known as code loading. This capability allows the developer to alter the app’s behavior *after* it has passed the Apple App Store or Google Play Store security review, bypassing the safety checks intended to protect consumers.

The September 2025 FTC Settlement

While the class action litigation trudged through procedural blocks, federal regulators delivered a confirmed blow to PDD Holdings’ operations. In September 2025, the Federal Trade Commission (FTC) announced a settlement requiring Whaleco Inc. to pay $2 million in civil penalties. The enforcement action focused on violations of the **INFORM Consumers Act**, which mandates that online marketplaces collect and verify information from high-volume third-party sellers. Although the FTC action targeted seller verification rather than the spyware allegations directly, it established a judicial record of PDD Holdings’ failure to comply with U. S. consumer protection laws. The settlement forced PDD Holdings to admit that it had not provided consumers with the required method to report suspicious activity, further eroding the company’s defense that it operates a transparent and compliant marketplace. This regulatory finding provided ammunition for the class action plaintiffs, who the FTC’s intervention as proof of a widespread corporate culture that prioritizes growth and data acquisition over legal compliance.

Defense Strategy: Arbitration and Obfuscation

PDD Holdings has responded to the *Hu* litigation and parallel state lawsuits with a dual strategy of denial and procedural delay. In court filings, Whaleco Inc. attorneys that the app’s data collection is standard for the industry and disclosed in the Terms of Service. They contend that users “consented” to the data harvesting by accepting the user agreement upon sign-up. also, the defense has aggressively moved to compel arbitration. By enforcing the mandatory arbitration clause buried in the app’s fine print, PDD Holdings seeks to the class action, forcing individual users to resolve their disputes in private tribunals rather than in open court. This tactic aims to prevent a public jury trial that could expose the full extent of the app’s code structure and data exfiltration pathways. Yet, judges in Illinois and New York have shown skepticism toward this argument, particularly given the allegations that the “consent” was obtained through deceptive user interfaces that hid the true nature of the permissions being granted.

Table 11. 1: Key Legal Actions Against PDD Holdings (2023-2026)

Case / Plaintiff	Jurisdiction	Primary Allegation	Status (as of Feb 2026)
Hu v. Whaleco Inc.	E. D. New York	Violation of ECPA (Wiretapping), CFAA, Spyware	Active; Motion to Dismiss Pending
Ziboukh v. Whaleco Inc.	N. D. Illinois	Biometric Information Privacy Act (BIPA) Violations	Consolidated with similar filings
State of Arkansas v. Temu	State Court	Deceptive Trade Practices; “Functionally Malware”	Discovery Phase
FTC Enforcement Action	Federal Agency	INFORM Consumers Act Violations	Settled Sept 2025 ($2M Penalty)
State of Texas v. PDD Holdings	State Court	Unauthorized Data Harvesting; CCP Ties	Filed Feb 2026

The transition from private class-action litigation to state-level enforcement marks a severe escalation in the scrutiny of PDD Holdings. While individual plaintiffs seek damages for privacy violations, state Attorneys General (AGs) wield the power to demand structural changes, impose massive civil penalties, and chance enjoin operations entirely. The legal narratives emerging from Arkansas and Texas do not accuse Temu of negligence; they classify the application as a weaponized data-collection tool disguised as commerce. ### Arkansas: The “Functionally Malware” Precedent In June 2024, Arkansas Attorney General Tim Griffin filed a landmark lawsuit against PDD Holdings and its subsidiary WhaleCo Inc., becoming the state official to formally label the Temu application as malicious software. The complaint, filed in Cleburne County Circuit Court, relies heavily on forensic findings that mirror the Grizzly Research report. Griffin’s office did not mince words, issuing a statement that fundamentally reframed the public understanding of the app. “Temu is not an online marketplace like Amazon or Walmart,” Griffin declared. “It is a data-theft business that sells goods online as a means to an end.” The lawsuit alleges violations of the Arkansas Deceptive Trade Practices Act (ADTPA) and the Personal Information Protection Act (PIPA). Unlike typical consumer protection suits that focus on pricing errors or refund policies, the Arkansas complaint the application’s code architecture. It asserts that Temu is “functionally malware and spyware,” designed purposefully to gain unrestricted access to a user’s phone operating system. Key allegations in the Arkansas filing include: * **Privacy Setting Override:** The app is accused of using code loading to bypass user-denied permissions, overriding the data privacy settings on iOS and Android devices. * **Data Monetization:** The complaint that the sale of cheap goods is a “loss leader” strategy, where PDD loses an estimated $30 per order to acquire valuable user data, which is then monetized to offset the operational deficit. * **Obfuscation:** The suit claims PDD employs “sophisticated” methods to hide its data exfiltration pathways, making it nearly impossible for average users to detect the theft. Griffin’s legal team explicitly connected Temu to its sister app, Pinduoduo, citing the 2023 suspension by Google due to the presence of zero-day exploits. The argument posits that the same engineering teams and corporate directives that produced the Pinduoduo malware are responsible for Temu’s architecture, rendering the separation between the two entities cosmetic rather than functional. ### Texas: The “Digital Trojan Horse” In February 2026, the legal pressure intensified significantly when Texas Attorney General Ken Paxton filed suit against PDD Holdings and WhaleCo Inc. This action, part of a broader initiative by Paxton to target companies linked to the Chinese Communist Party (CCP), escalated the rhetoric and the specific charges against the company. Paxton characterized the application as a “digital Trojan Horse” and “Chinese Communist spyware disguised as a shopping app.” The Texas lawsuit, filed under the Texas Deceptive Trade Practices Act (DTPA), focuses heavily on the deceptive nature of the exchange offered to consumers. The state that Texans are lured by “impossibly low prices” on goods, unaware that the true transaction involves the surrender of their biometric and private data. The Texas complaint introduces specific concerns regarding biometric harvesting. It alleges that Temu’s code contains functions capable of capturing facial geometry and voiceprints, data points that are immutable and highly sensitive. Paxton’s office that PDD fails to disclose the extent of this collection or the fact that such data is accessible to engineers in China, where national intelligence laws compel companies to assist state security apparatuses. The relief sought by Texas is substantial. The state seeks civil penalties of up to $10, 000 for each violation of the DTPA, a figure that could aggregate to hundreds of millions of dollars given the millions of Texas users. Also, the suit seeks an additional penalty of up to $250, 000 per violation for acts targeting consumers aged 65 or older, a demographic frequently attracted to the app’s discount-heavy marketing. ### Legal method and Corporate Defense Both lawsuits attack PDD Holdings using consumer protection statutes that prohibit “deceptive” acts. The deception, according to the AGs, lies in the omission of the app’s true purpose. By presenting itself as a standard e-commerce retailer, Temu induces users to download software they would otherwise reject if they understood its surveillance capabilities. The “bait-and-switch” argument is central here. The AGs contend that the “bait” is the subsidized product (e. g., a $3 smartwatch), and the “switch” is the installation of persistent surveillance software. This legal theory allows the states to bypass the complex technical debates about specific API calls and focus on the consumer’s absence of informed consent. PDD Holdings has responded to these state actions with categorical denials. A spokesperson for the company stated they were “surprised and disappointed” by the Arkansas filing and attributed the allegations to “misinformation circulated online,” specifically pointing to short-seller reports. The company maintains that its data practices are standard for the industry and that it does not sell user data. PDD has vowed to “vigorously defend” itself in court, arguing that its privacy disclosures are adequate and that the “malware” characterizations are technically unfounded. ### of State-Level Intervention The entry of state Attorneys General changes the risk profile for PDD Holdings. Unlike class-action lawsuits, which companies frequently settle for a fixed sum without admitting guilt, state enforcement actions can result in binding injunctions. An injunction could legally force Apple and Google to remove the Temu application from their stores within specific jurisdictions, or require PDD to fundamentally rewrite its code to comply with state audits. The Texas and Arkansas suits also create a discovery hazard for PDD. The legal discovery process grant state investigators access to internal communications, engineering documents, and data flow logs. If these documents reveal evidence of the “backdoors” or ” code loading” alleged by security researchers, it could trigger a cascade of federal actions and further state lawsuits. These probes show a growing consensus among U. S. regulators that the risks posed by PDD Holdings extend beyond economic competition. The language used—”malware,” “spyware,” “data-theft business”—signals that state officials view the application not as a commercial entity, as a cybersecurity threat operating within their borders. The outcome of these cases likely determine whether Temu can continue to operate in its current form within the United States.

The Escalation to Formal Proceedings: October 2024

On October 31, 2024, the European Commission escalated its scrutiny of PDD Holdings into a formal investigation, marking a serious legal turn for the conglomerate’s international storefront. The Commission opened formal proceedings against Temu under the Digital Services Act (DSA), citing suspicions that the platform breached legally binding obligations related to the sale of illegal products, the design of its service, and transparency parameters. This action followed Temu’s designation as a Very Large Online Platform (VLOP) on May 31, 2024, a classification reserved for platforms reaching more than 45 million monthly active users in the EU. By September 2024, Temu reported 92 million monthly users, subjecting it to the most tier of DSA compliance. The investigation focuses on the company’s failure to mitigate “widespread risks” associated with its rapid growth and aggressive user acquisition strategies.

The BEUC Complaint: A Pan-European Trigger

The formal proceedings did not emerge in a vacuum were precipitated by a coordinated legal offensive from the European Consumer Organisation (BEUC). In May 2024, BEUC and 17 of its member organizations filed simultaneous complaints with national authorities, accusing Temu of failing to protect consumers and using “manipulative practices” that violate EU law. The consumer watchdog provided evidence that Temu used dark patterns, deceptive interface designs, to coerce users into spending more money and surrendering more data than intended. These complaints highlighted that Temu frequently failed to provide crucial information about the traders operating on its platform, a violation of the “Traceability of Traders” requirement (Article 30 DSA). This opacity makes it nearly impossible for regulators or users to hold specific sellers accountable for defective or spyware-laden merchandise.

Pillar One: The “Rogue Trader” Loophole

A primary focus of the Commission’s investigation is the effectiveness of Temu’s systems to limit the sale of non-compliant products. The DSA requires platforms to not only remove illegal goods when notified also to prevent their reappearance. The Commission suspects that Temu’s current measures are insufficient to stop “rogue traders”, sellers previously suspended for peddling unsafe or counterfeit goods, from simply creating new accounts and resuming operations. This “Whac-A-Mole” presents a direct data privacy risk; sellers who bypass safety regulations for physical goods are unlikely to adhere to data protection standards. These unvetted merchants are the primary vector for the distribution of compromised IoT devices and electronics that can serve as hardware-based entry points for malware, a risk category PDD Holdings has consistently downplayed in its compliance reports.

Pillar Two: Weaponized Gamification and Addictive Design

The investigation also the “addictive design” of the Temu application, specifically its game-like reward programs such as “Spin the Wheel” and “Fishland.” The Commission is examining whether these features breach DSA Article 34, which mandates the mitigation of risks to the “physical and mental well-being” of users. These gamification mechanics are not engagement tools; they are sophisticated behavioral modification systems designed to maximize screen time and data generation. By conditioning users to open the app at specific intervals to maintain “streaks” or claim “rewards,” Temu ensures a continuous stream of telemetry data and device interactions. The probe assesses whether PDD Holdings intentionally engineered these systems to exploit psychological vulnerabilities, trading user mental health for higher data throughput and retention metrics.

Pillar Three: The Black Box of Recommender Systems

Transparency regarding how content is pushed to users forms the third pillar of the inquiry. Under DSA Articles 27 and 38, VLOPs must disclose the “main parameters” of their recommender systems and provide at least one option that is not based on profiling. The Commission suspects Temu of maintaining a “black box” algorithm that profiles users without adequate consent or explanation. This profiling is central to PDD’s business model, which relies on granular data analysis to predict consumer behavior. The failure to offer a non-profiling alternative forces users into a surveillance-based experience where their every click and hover is fed back into the recommendation engine, creating a feedback loop that prioritizes viral, low-quality items over safer, verified alternatives.

Pillar Four: The Data Blockade Against Researchers

Perhaps the most damning aspect of the investigation regarding malware discovery is the alleged violation of Article 40. This article mandates that VLOPs must provide vetted researchers with access to publicly accessible data to study widespread risks. The Commission’s probe indicates that Temu has obstructed this access, shielding its internal operations from independent academic and technical scrutiny. By denying researchers the ability to analyze the platform’s data flows and code structures, PDD Holdings prevents the external detection of the very privacy vulnerabilities and malware execution route identified by firms like Grizzly Research. This obstructionism suggests a deliberate strategy to keep the “data-theft business” model hidden behind a wall of legal non-compliance.

August 2025 Preliminary Findings: A Failure of Assessment

In August 2025, the Commission released preliminary findings from its ongoing investigation, delivering a sharp rebuke to PDD Holdings. The findings indicated that Temu’s risk assessment, submitted in late 2024, was “insufficient” and relied heavily on “general industry data” rather than specific, internal metrics. This absence of specificity suggests that Temu either does not track the necessary safety data or refuses to share it. The Commission noted a “significant likelihood” that EU consumers were still encountering non-compliant items, including unsafe electronics, even with PDD’s assurances. This regulatory failure confirms that the company’s compliance efforts were largely performative, designed to tick boxes rather than address the fundamental architectural flaws that permit data exploitation and product safety violations.

Financial and Enforcement

The of these proceedings are financially severe. If found guilty of the alleged breaches, PDD Holdings faces fines of up to 6% of its total worldwide annual turnover. Based on PDD’s revenue trajectory, this penalty could amount to billions of dollars. Beyond the financial hit, the Commission holds the power to impose “interim measures” to force immediate changes to the platform’s design and operation. This could theoretically include a suspension of the “addictive” gamification features or a mandatory restructuring of the seller verification process. As of February 2026, the investigation remains active, with PDD Holdings attempting to negotiate “compliance commitments” to avoid the maximum penalty, yet the structural reliance of Temu on data-harvesting mechanics makes full compliance with the DSA’s privacy-centric mandates functionally difficult for the corporation.

The following investigative review examines the national security of PDD Holdings’ operations, specifically focusing on the chance for Chinese intelligence agencies to access user data through the Temu application. *** ### **SECTION 14: National Security: chance Data Accessibility by Chinese Intelligence** The cumulative evidence regarding PDD Holdings’ technical architecture, corporate restructuring, and data collection practices converges on a single, serious vulnerability: the exposure of Western user data to the apparatus of the Chinese Communist Party (CCP). While PDD Holdings legally domiciled itself in Dublin, Ireland, in 2023, this corporate migration appears to be a legal fiction designed to assuage Western regulators while the company’s operational core—and its data processing —remains firmly entrenched within the People’s Republic of China (PRC). This disconnect between legal registration and operational reality creates a direct vector for state-sponsored data harvesting, governed not by European privacy standards, by Beijing’s aggressive intelligence mandates. #### **The Legal Stranglehold: Article 7 and the Counter-Espionage Law** The primary method rendering Temu a national security threat is the PRC’s legal framework, which deputizes private companies as intelligence assets. The **2017 National Intelligence Law** explicitly obliterates the distinction between commercial enterprise and state espionage. **Article 7** of this statute mandates that *”any organization or citizen shall support, assist and cooperate with the state intelligence work in accordance with the law.”* Crucially, it further stipulates that the state protect those who aid in these efforts, creating a closed loop of compulsion and immunity. For PDD Holdings, this law means that no matter where its headquarters are nominally located, its China-based engineers and executives are legally bound to surrender data upon request. There is no legal recourse in Chinese courts to refuse such a demand. also, the **2014 Counter-Espionage Law**, significantly expanded in July 2023, broadened the definition of espionage to include the transfer of any documents, data, or materials related to “national security and interests.” This vague phrasing grants authorities unlimited discretion to seize commercial data—including the biometric inputs, geolocation logs, and social graphs harvested by Temu—under the guise of national security investigations. #### **The ‘Off-Shore’ Fallacy: Data Sovereignty vs. Engineering Access** PDD Holdings frequently cites its use of US-based servers (such as those hosted by Microsoft Azure) as proof of data security. This is a diversion. Physical server location is irrelevant if administrative access is held by personnel in a jurisdiction subject to CCP coercion. Investigations reveal that the engineers who build, update, and maintain Temu’s code are predominantly located in Shanghai and other Chinese tech hubs. These individuals possess the cryptographic keys and administrative privileges necessary to access “off-shore” data. Consequently, a US user’s data may reside on a server in Virginia, yet be fully accessible to a PDD engineer in Shanghai who is subject to immediate detention or pressure by the Ministry of State Security (MSS). The “air gap” that PDD claims exists between its international user data and its Chinese operations is functionally non-existent. The **Grizzly Research** report highlighted this vulnerability, noting that the development teams for Temu and the malware-ridden Pinduoduo app overlap significantly, meaning the same individuals who engineered backdoors for domestic surveillance manage the code running on Western devices. #### **Weaponization of the ‘Digital Silk Road’** The strategic utility of the data Temu collects extends beyond commercial advertising. Intelligence analysts view platforms like Temu as nodes in China’s **”Digital Silk Road,”** a state initiative to export digital infrastructure and capture global data flows. The specific types of data Temu —precise geolocation, Wi-Fi network names (SSIDs), and biometric identifiers—are high-value assets for intelligence agencies. * **Geolocation Data:** By tracking the movement of millions of users, intelligence services can identify patterns of life for military personnel, government officials, and defense contractors. A “shopping app” that pings a user’s location 80 times a minute creates a high-fidelity tracking beacon. * **Social Graphing:** Access to contact lists and social interactions allows the MSS to map networks of influence and identify chance for coercion or recruitment. * **Device Fingerprinting:** The collection of MAC addresses and unique device identifiers (IMEI) allows for the permanent tagging of specific hardware, facilitating long-term surveillance even if the app is deleted. #### **Congressional and Intelligence Community Warnings** The threat posed by PDD Holdings has triggered urgent warnings from US legislative and intelligence bodies. The **US-China Economic and Security Review Commission (USCC)** issued a report in 2023 explicitly linking Temu’s data practices to the risks observed in other Chinese state-linked software. The commission noted that the “blurring of lines” between the CCP and Chinese tech firms makes it impossible to verify any claims of data privacy. also, the **House Select Committee on the CCP** has investigated Temu’s supply chain and data practices, labeling the app a chance tool for “digital authoritarianism.” In 2024, the **House Intelligence Committee** requested briefings from the FBI and SEC, citing concerns that PDD Holdings was operating as an arm of Chinese state intelligence. These inquiries show a growing consensus in Washington: Temu is not a marketplace, a dual-use technology platform capable of supporting adversarial intelligence operations. #### **The Precedent of State-Directed Espionage** History provides grim context for these concerns. The CCP has a documented track record of using commercial entities to exfiltrate data. The 2017 hack of Equifax, attributed to the PLA, and the theft of OPM data demonstrated Beijing’s appetite for building massive databases on American citizens. Temu represents an evolution of this strategy—rather than stealing data through hacks, the CCP can simply compel a popular application to collect it legally from consenting users who are unaware of the app’s true capabilities. The **Arizona Attorney General’s lawsuit** filed in late 2025 explicitly this point, stating that Temu’s code is designed to “evade security reviews” and “conceal the exfiltration of data,” behaviors consistent with state-sponsored malware rather than legitimate e-commerce software. The suit alleges that the app’s ability to execute code (downloading new instructions after installation) creates a “backdoor” that could be activated by Beijing to turn millions of consumer devices into a distributed surveillance network during a geopolitical emergency. #### **Conclusion: The Unseen Cost of Cheap Goods** The national security of PDD Holdings’ operations are severe. The company’s structure, legal obligations to the CCP, and aggressive data harvesting practices create a clear pathway for Chinese intelligence to access the private lives of Western citizens. Temu functions as a Trojan horse, entering the digital of the West not through force, through the allure of rock-bottom prices. The data it extracts—biometric, spatial, and social—feeds a strategic intelligence apparatus that views information dominance as a serious component of modern warfare. As long as PDD Holdings remains subject to PRC law, the privacy of its users is not just compromised; it is commandeered by a foreign adversary. *** ### **Review Summary: PDD Holdings Inc.** **Entity:** PDD Holdings Inc. (Temu / Pinduoduo) **Review Period:** 2015–2026 **Investigative Focus:** Data Privacy, Malware Risks, National Security **Final Verdict:** PDD Holdings represents a **Category 1 Cyber Threat** to consumer privacy and national security. The investigation confirms that the company’s applications, particularly Temu, function as sophisticated data extraction tools disguised as e-commerce platforms. **Key Findings:** 1. **Malware Architecture:** The app uses code loading and private APIs to bypass operating system security, behaviors identical to known malware. 2. **State Compulsion:** even with an Irish domicile, the company remains legally and operationally bound to the Chinese Communist Party’s intelligence apparatus via the 2017 National Intelligence Law. 3. **Deceptive Practices:** PDD Holdings actively obfuscates its data collection, hiding the extent of its access to microphones, cameras, and location data from users and regulators. 4. **Strategic Threat:** The aggregation of Western user data poses a long-term counterintelligence risk, enabling mass surveillance and the mapping of serious personnel. **Recommendation:** Immediate removal of the Temu application from all government and sensitive corporate devices is advised. Consumers are strongly urged to delete the application and sanitize their devices to prevent persistent tracking. Regulatory bodies must treat PDD Holdings not as a commercial retailer, as a high-risk data broker with adversarial state ties.