拼多多 做空?qǐng)?bào)告介紹

()Q=REPORTSRESEARCHWebelievePDDisaDyingFraudulentCompanyanditsShoppingAppTEMUisCleverlyHiddenSpywarethatPosesanUrgentSecurityThreattoByGRIZZLYRESEARCH(HTTPS://GRIZZLYREPORTS.COM/AUTHOR/GRIZZLY-RESEARCH/)18hoursago·TEMUappsoftwarehasthefullarrayofcharacteristicsofthemostaggressiveformsofmalware/spyware.Theapphashiddenfunctionsthatallowforextensivedataex?ltrationunbeknowntousers,potentiallygivingbadactorsfullaccesstoalmostalldataoncustomers’mobiledevices.Itisevidentthatgreate!ortsweretakentointentionallyhidethemaliciousintentandintrusivenessofthesoftware.。WeengagednumerousindependentdatasecurityexpertstodecompileandanalyzeTEMUapp’scode,integratedwithexpertsofourownsta!,andanalystswhohavewrittenindependentlyinthepublicdomain.Contributingtothedangerofmassdataex?ltrationisthefastuptakerateoftheTEMUapp:over100millionappdownloadsinthelast9months,allinU.S.andEurope.TEMUisnoto!eredinChina.TheTEMUappdevelopmentteamincludes100engineerswhobuiltthePinduoduoapp,whichearnedasuspensionfromtheGooglePlayStore.(Link(/2023/04/02/tech/china-pinduoduo-malware-cybersecurity-analysis-intl-hnk/index.html))Pinduoduoappgotreinstatedbyremovingthe“badparts”,someofwhichwereidenticallyutilizedascomponentsoftheTEMUapp,stronglyindicatingmaliciousintent.·WestronglysuspectthatTEMUisalready,orintendsto,illegallysellstolendatafromWesterncountrycustomerstosustainabusinessmodelthatisotherwisedoomedforfailure.CheapChinashoppingappshavepreviouslyproventhatthebusinessmodelissimplynotsustainablypro?table.WwasaprominentcasestudyandSheinanaggressivecurrentcompetitor.TikTokhasannouncedtheirentryintothespace.TEMUisestimated(Link(/story/temu-is-losing-millions-of-dollars-to-send-you-cheap-socks/))tobelosing$30perorder.Itsadspendingandshippingcosts(1-2weeksfromChina,expeditedtoU.S.delivery)areastronomical.Oneisleftwonderinghowthisbusinesscouldeverbepro?table.TEMUisanotoriouslybadactorinitsindustry.Weseerampantusermanipulation,chain-letter-likea"nityscamstodrivesignups,andoverall,themostaggressiveandquestionabletechniquestomanipulatelargenumbersofpeopletoinstalltheapp.·AU.S.CongressionalcommitteehasalreadydraftedHR1153(/bill/118th-congress/house-bill/1153)whichwouldseriouslyimpairTEMU’sbusinessmodeland/orempowertheU.S.PresidenttobanfromtheU.S.。AllowstheU.S.topunishTEMUforex?ltratingusers’personaldatatoChinawithoutknowledgeorpermission.SlamclosedaloopholeafordingTEMUaccesstoU.S.consumerswithafreepassonpostage,customsinspectionsortarifs.U.S.businessesdon’tenjoysymmetricalrights(/research/shein-temu-and-chinese-e-commerce-data-risks-sourcing-violations-and-trade-loopholes)totheChineseconsumermarket.TEMUisdemonstrablymoredangerousthanTikTok.TheappshouldberemovedfromtheGoogleandAppleappstores.·WebelievePDD’s?nancialsarenotoriouslyunreliable.EventheusuallypromotionalsellsideanalystshavepointedoutthatPDD’saccountingisakintoa“BlackBox”asdisclosurebecomesevermoreopaque.Despitebeingacompanywithamarketcapofappx$135billion,PDDhasnothadaCFOsince2018.Thekey?nancialpositionsarearevolvingdoor.Thereseemstobenoaccountability.ThelocalauditpartnersfromErnst&YoungHuaMingLLPareinourjudgmentuntrustworthyandhaveauditednumerousChinesecompanieswhoseshareshaveprovennexttoworthlessinthepast.。OuranalysisshowsthatPDDmighthaveunderreporteditsemployeecounttoU.S.investorsaccordingtotheirownstatementsinChina.Undercountingemployeesoverstatespro?tabilityinreported?nancials.PDDhasbeenreportedlyinvolvedinmajororderbrushingscandals,andallegationsthat7bnRMBofillicitgamblingtra"cwaslaunderedroutedthroughPDD’splatform.·ImportantoperatingmetricsindicatePDD’sChinabusinessisrapidlydecliningwhileitlosesa?ercebattlewithcompetitorssuchasAlibabaandJD.Alibaba’sregulatoryissuesinChinaseemtohavebeenresolvedinJuly2023.Withouttheburdenofregulatoryintervention,weseethisplayertakingsubstantialsharefromPDD.Atthesametime,JDisincreasingitsefortstotakemarketsharefromPDDandsees?rstindicationsofverypromisingresults.MultipledatasourcesinChina,aswellasGoldmanSachs,havealreadyreportedthatPDD’sdailyaverageusers(DAU)metricisstartingtodeclinemorerapidly.Theyear-over-yeardeclineinDAUforthemonthofJuneisover20%.Thisseemstouslikeafast-deterioratingbusiness.·PDDisabusinessthatisrunforthebene?tofinsidersratherthanshareholders.PDDHoldingsbuiltapaymentsplatformthatituses.However,managementhascarvedouttheentirepaymentsbusinessforitself(theAliPayplaybook).Webelievemanagementhasprivatelyretainedthemostattractivepartofthebusinessforitself.Alargenumberofsharesareunaccountedfor.BillionsofUSDworthofstockreportedlywent“missing”.Somesupposedlywenttocharityandsometoventurecapitalinvestor.Weseethisabsenceoftransparencyasanotherred?ag.Part1:WeBelieveTEMUistheMostDangerousAppinWideCirculationHighlyDangerousSpyware/MalwareCharacteristicsinTEMUappAnalysisofPDD’sappsoftwarebymultipleexpertsisshowingallthesignsofred-?agconcern.Thecallstooutsidedevicedataandfunctionsthatviolateusers’privacyarefarmoreaggressivethananywell-knownconsumershoppingapp.Ourexpertsidenti?edastackofsoftwarefunctionsthatarecompletelyinappropriatetoanddangerousinthistypeofsoftware.TEMUusesthemall.ComparisonofSecurityIssuesappearinginTEMUandcompetitivelandscapeapps.*Green)areamongtheleastdangerous.TheissuesforwhichonlyTEMUis?aggedred(Row1,4,10,15)areamongthemostdangerous—andarethemostlikelytobecombinedtomakeactualspyware.Theseissuesoccurinthepartsofthecodethatareproprietary,obscured,and/orfromacodelibraryrarelyused,poorlyprogrammedbyanichecompany.*ThisanalysiswasperformedAugust30,2023.We?ndtheandroid.permissionentriesreferencedintheproprietarypartsofthedecompiledsourcecode,“Rarelyused”librariesbeingthosethataren’tdirectlyfromthelargetrustworthytechcompaniesmentionedinthisstatement.Itiscommonpracticetoonlyuselibrariesauthoredbythebigtech?rms.Veryselectiveactivationofthemostinvasivefeatures,orTEMU’sabilitytocallthemondemandfromserversinChina,orsideloadevenmoreinvasivebehaviorintoupdatesordynamic(runtime)compilation,isallloomingintheriskpro?leoftheinstalledTEMUapp.CultureofConsumerPrivacyViolationsCollideswithU.S.CongressWheredoesallthatex?ltrateddatawindup?Chinahasimplementedalawrequiring:“Thestateshallprotectindividualsandorganizationsthatsupport,cooperatewith,andcollaborateinnationalintelligencework.”ChinesecompaniescanonlyoperateiftheirentiredatabasesareaccessibletoChinesegovernmentagencies.(Link(/article/technology-business-china-data-privacy-1d3fcbac4549c6968c07897900c96cc3))Inparticular,theChinesemilitaryhasbeencloselytiedforoveradecadetoChinese-basedhackingagainsttheU.S.(Link(/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html))Withtrade,defense,andtechnologytensionsbetweentheU.S.andChinalooming,thereiseveryreasontoanticipatethattheChineseState’swouldhaveinterestinacompany’sabilitytoex?ltrateauser’slocationwithin10feet,plushighlypersonaldatabelongingto“partiesofinterest”:U.S.governmentemployees,membersoftheU.S.military,policeandsecurityo"cers,universityresearchemployees,Chineseexpats,plusmembersofoppressedminoritieswhomighthavefamilymemberswhoareTEMUcustomersinanyWesterncountry.Ofcourse,theChineseStateSecurityapparatushasaninterestintextmessagestoandfromanyU.S.citizenswhocommunicatewiththem.Buyingpatterns,combinedwithgeo-locationandpersonaldata,mightrevealactionableintelligenceaboutanyofus.WhenyouthinkaboutthepossibilitiesofourpoliticalalignmentsbeingassessedandmanipulatedbyaforeigncountryrunningoursmartphonedatathroughitsAIengines,therisksbecomenotonlytangible,butmagni?ed.WebelievemanyU.S.legislatorsalreadythinktheserisksareunacceptablyhigh,withnochanceofafairreciprocalopportunityforU.S.?rmstooperatelikethisinChina.(Thisisnotaliberalvs.conservativegridlockedissue.Legislatorsfrombothsidesoftheaisleareengagedintheseissuesrightnow.)Congressisalreadyinvolved.Theyjustneedto?gureoutthatTikTokisn’ttheworstthreatweface:TEMUis!HR1153(/bill/118th-congress/house-bill/1153)isalreadybeforeCongress,butmosteveryonethinksit’saboutbanningTikTok!Readon!directiveprohibitingU.S.personsfromengaginginanytransactionwithanypersonwhoknowinglyprovidesormaytransfersensitivepersonaldatasubjecttoU.S.jurisdictiontoanyforeignpersonsubjecttoChinesein?uence.Thebillalsoestablishesnewsanctionsoncertaintransactionsrelatedtoconnectedsoftwareapplications.Forexample,thePresidentmustimposeasanctiononanyforeignpersonthatknowinglyoperates,directs,ordealsinaconnectedsoftwareapplicationthatissubjecttothejurisdictionofChinaandisreasonablybelievedtohavebeenormaybeusedtofacilitateorcontributetoChina’smilitary,intelligence,censorship,surveillance,cyber,orinformationcampaigns.It’swidelyassumedbysecurityexpertsandpoliticiansthatanyuserdataacquiredbyaChinesecompanywindsupindatabasesaccessibletoChineseSecurityServices.Butwe’reabouttoshowyouwhyTEMU’sappsaremuchmoredangerousthananythingTikTokmightbedoing.AHeritageofMalware:TEMU‘sAppismaliciousspywarewhosecodebaseissharedwithPinduoduo’spreviouslysuspendedappThereisstrongevidencethatelementsofPinduoduo’srecentlysuspended(andsubsequentlyreinstated)?agshipappareinplaceinPinduoduo’smalwarewasnotafringeorcircumstantiale!ort.PDDrecruitedandhiredateamof100programmersto?ndandexploitOEMcustomizationsofAndroid(installedonmainstreambrandsoflow-pricedsmartphones),intendingtoexploitvulnerabilitiesauditedlessoftenthanthemainlineAndroidcodebase(estimatesofover50suchvulnerabilitiesweretargeted).AsreportedbyCNN,(Link(/2023/04/02/tech/china-pinduoduo-malware-cybersecurity-analysis-intl-hnk/index.html))oneofPDD’sstrategieswastorunthissoftwareonlyinsmalltownsandotherrural,lessdevelopedareasofChina,avoidingBeijingandShanghai,toevadedetectionduringdevelopment.“Wehaven’tseenamainstreamapplikethistryingtoescalatetheirprivilegestogainaccesstothingsthey’renotsupposedtogainaccessto.It’sprettyunusual,anditisprettydamningforPinduoduo”–MikkoHypp?nen,cybersecurityexpert.“I’veneverseenanythinglikethisbefore.It’ssuper-expansive.”—SergeyToshin,AndroidSecurityExpert,founderofOversecuredOnMarch21,2023,Googleannounced(https://insideretail.asia/2023/03/24/google-suspends-chinas-pinduoduo-app-on-security-concerns/)suspensionoftheGooglePlayStoreversionofPDD’sPinduoduoappduetosecurityconcerns,aftermalwareissueswerefoundonversionsoutsideofGoogle’sownPlayStore.(AlthoughmalwareiscommonenoughonAppStores,installing“sideloaded”appsisalwaysanevenriskierpractice.)AfterGoogle’sPlayStoresuspendedPinduoduo,parentPDDmadeabigshowofissuingaPinduoduoupdate,purportedlyremovingthemalware(seeourtechdiscussionofthissuddenchange,andwhatwelearnedfromit,below).Pinduoduodisbandedand“?red”theteamresponsibleforthemalware.Butthatwasforshow.Ofcourse,theywereimmediatelyallhiredbyPDD’sothercompany,TEMU,and“reassigned”.(SameLink(/2023/04/02/tech/china-pinduoduo-malware-cybersecurity-analysis-intl-hnk/index.html),sameCNNstoryaslinkedabove.)AppSoftwareAnalysisandExpertQuotesLikeanyprobesearchingformalware/spyware,ouranalysisbeginswithasearchforaggressive,potentiallyinvasivesystemcallsthatwouldbecomponentsofexecutingcodethathavethepowertoex?ltrateinappropriateuserinformationthatviolatesappstorepolicies,andinvadesuser’sprivacy.Speci?cattentionisdrawntosoftwareexecutionwhoseintentistohideorobfuscatemalignactionsfromanalystsand/orautomatedsecurityscans.Thissectionistechnicalbecausemalware/spywarecreationanddetectionisacat-and-mousegameconductedbysoftwareengineers.ThesearesomeofthesecurityissuesfoundinTEMU’sapp:1)Dynamiccompilationusingruntime.exec().Acrypticallynamedfunctioninthesourcecodecallsfor“packagecompile”,usingruntime.exec().Thismeansanewprogramiscreatedbytheappitself.—Compilingistheprocessofcreatingacomputerexecutablefromahuman-readablecode.Theexecutablecreatedbythisfunctionisnotvisibletosecurityscansbeforeorduringinstallationoftheapp,orevenwithelaboratepenetrationtesting.Therefore,TEMU’sappcouldhavepassedallthetestsforapprovalintoGoogle’sPlayStore,despitehavinganopendoorbuiltinforanunboundeduseofexploitativemethods.ThelocalcompilationevenallowsthesoftwaretomakeuseofotherdataonthedevicethatitselfcouldhavebeencreateddynamicallyandwithinformationfromTEMU’sservers.“That’sbad.That’sreallybad,becauseiftheyarelocallycompilingpackages,thentheycanliterallydoanythingtheywantatanytime.Itmeansthatyoucan’tanalyzebecausethesystemistrulydynamic.”Thisfeaturealoneisa“wildcard”thatloomsovermostspeci?crisksofmalware.It’slikedebatingwhohasthemostkeystobreakintoabuilding,whenyouholdthemasterkeyinyourhand.Putanotherway,ifalltherestoftheobjectionablecodewasremoved,whilethisonebackdoorwentundetectedduetoitsconcealment,theappcouldbecomejustasmalignant,bychangingitsbehavior,controlledbyforeignservers,inalmostallpossiblewaysandreactivetoallfuturedevelopmentsoftheapp,theregulationsandallotherpossiblein?uences.Forexample,TEMUcanpotentiallysendsourcecode,encryptedandmasqueradingasanyunsuspiciouspieceofdata,whichisthencompiledintoanexecutableontheclient’sphone.executingdynamiccompilingusingruntime.exec().2)We?ndtheandroid.permissionentriesreferencedintheproprietarypartsofthedecompiledsourcecode,excludingoccurrencesinwidelyusedandsecurestandardlibrariesbyAndroid,Google,Facebook,PayPalandKlarna.Whywouldtheproprietarysourcecodereferencethesepermissions,ifitdoesn’thavetheoptiontousetheminspeci?cscenarios?Mostimportantly,manyofthesepermissionsinTEMU’ssourcecodearenotlistedintheirAndroidManifest?le,whichisthestandardizedoverviewsourceforanapp.Forscrutinizingpermission,theAndroidManifest?leisthe?rstsourcetocheckpermissions.NotmentionedintheAndroidmanifestarethepermissioncoincidencethatthesepermissionsarethemostintrusiveoneswhenitcomestospyingpotential.Forcomparison,alltheotherappslistedinthecohorttableenumerateallofthesepermissionsintheirAndroidManifest,iftheyusethematall.Theonlyexceptionis3)TEMUqueriesinformationrelatedto?les,andnotjustitsown?les,butwantsinformationonall?lesontheuser’sdevicebyreferencing“EXTERNAL_STORAGE”,superuserrightsandlog?les.Inotherwords,dependingonthespeci?cAndroidversion,theappcanbeusedtoread,processandmodifyalluserandsystemdata:chatlogs,images,usercontentonotherappsandsoon.3a)Theappincludes?leuploadfunctionalitythatisbasedonacommandserverconnectedtotheirAPI‘’.Thismeansthatonceausergrants?lestoragepermissiontotheTEMUapp–evenunwittingly–TEMUwillbeabletoremotelycollectanyandall?lesfromtheuser’sdeviceandsendthemtotheirownservers.Dittoforanyotherprivacy-intrudingpermission.NOTE:Manyifnotallusersaretypicallyfatiguedandimpatientwhenfacedbyappinstallationdialogboxes,whentheydonotunderstandtheconsequences.TEMU,likeothermajorshoppingappsincludingAmazon,Ebayandmanyothers,apparentlygainsaccesstotheuser’s?lesystemandtheirgeographiclocationatonetimeoranother,duringinstallationoroperation.Weestimatethatfewerthan10%ofuserswillbeawareenoughtorefusetograntthesepermissionstoanappthathasitsprogrammingteamandmainserversinChina.Butformostusers,it’sjustacheckbox,andonceit’sdone,it’sforgotten.It’slikegoingonalongvacationandleavingthesafeinyourhomeunlockedandopen.Moreonthislater.3b)Slippinginpermissionsrequestswithbigconsequences.Here’showthisworks.TheTEMUappdoesn’taskaggressivelyforalotofpermissionswhenyou?rstinstallit.But,forexample,onceyoulearnyoucanpostapictureandTEMUcansearchitslistingsforasimilaritemono!er,youmightwanttotrythatengagingfeature.Searchforanitemlikeaphoto,andTEMUasksforlocationpermission.Soyouuploadaphotoofashirt.TEMUthrowsyouanordinaryAndroidscreenthatrequestspermissionforPreciseorApproximatelocation.(Noticehowitdefaultsto“Precise”.)Becauseofthecontext—rememberyouwerejusttryingtouploadaphotofromyourcamera—youassumeyou’rebeingaskedforpermissiontopostyourlocationtothephotosyoutakewhileintheTEMUapp.Soyouclick‘Whileusingtheapp’andgoonaboutyourmerryway.Nowyoucanlookforametallicbluecomputermousefor$3.00orabeachshirtlikethecoolphotoonyourscreenforunder$4.00.Great!Howwouldyouknowthatyou’vejustgrantedTEMUaccesstoyourlocationwithin10feetwheneveryouuseTEMU’sapp?(Notjustwhenyoutakeaphoto?)WhydidTEMUevenaskforthatpermissionatthatpoint?Goodquestion!Yousee,thereisnospeci?cpermissiontogrant“Precise”locationtoyourcamera.Inthiscase,youhavejustgranted“Precise”locationpermission(FINE_PERMISSION)toyourphone,wheneveryouareusingtheTEMUapp.Youwouldn’tsuspectthattheTEMUappcontainsafullstackofmalware/spywaretoolstodojustaboutanythingitwantswithyourphoneandgetnearlyanythingstoredonitsenttoitsownserversinthebackground.AnditmasksitsintentionsbecausesoftwarethatviolatesyourprivacyisgenerallynotpermittedtobepostedfordistributioninGoogle’sPlayStoreorApple’sAppStore.GrantTEMUaninnocuouslookingpermissionsrequest,andyou’vejustgivenawaytheelectronicversionofyourhousekeys,yourcarkeys,andthecombinationtoyoursafe,yourkeystoyour?ledrawers,yourphotostorage,etc.,etc.,…allofit.4)Location,location,location.AndroidimplementedthesystemfunctionACCESS_COARSE_LOCATIONspeci?callysoappscouldacquiresomereasonableleveloflocationdatawithoutcompromisingusers’privacy.ButdoesTEMUusethat?Noooo!Asyouseefromourappcomparisontableabove,TEMUgetsitshandsonACCESS_FINE_LOCATION,to?ndoutwhereyouarewithin10feetorso,aquerysointrusivethattheAndroidteamitselfdoeseverythingitcantodiscouragetheuseofACCESS_FINE_LOCATIONexceptwhenabsolutelyneededforcoreappfunctionality(suchasamapapp).(Link(/training/location/permissions))CanTEMUascertainyourexactlocationrightnow,youask?Fromwhatwesee,onlywhentheTEMUappisrunning.Beyondthat,unfortunately,oursecurityexpertscan’ttellyou.Itdepends…onwhatversionofAndroidyouarerunning,onthepermissionsyou’vegrantedtotheTEMUapp,andwhetheryou’reconnectedtooneormorecelltowersrightnow.intrusivebydevelopersunlessspeci?callyneededforcorefunctionality.Wehopethisexamplehelpsclarifythepersonalurgencywefeelaswesharethesediscoveries.5)“Root”access.TEMUchecksifadevicehas“root”access.Withrootaccess,theuserandtheTEMUappareabletoread,modifyandwritenotonlyuser?les,butall?lesonthedevice,includingalltheprogrammingofotherappsandtheoperatingsystem.TEMUcouldtheoreticallybrickanydevicewheretheuserhas“root”accessandTEMUhas?lewritingpermissions.Maximumdanger!6)Encryption,decryptionandshiftingintegersignalslibrariesareinpriorversionsofPinduoduoandTEMUapps.Theonlypurposeofthisisobscurationofmaliciousintent.PDDveryquicklyremovedthiscomponentinbothappswhencaughtbyGoogleinPinduoduo.Before/afteranalysisofthissuddenchangetoPinduoduo’sandTEMU’scodebaserevealsadditionalconclusions.Seesection‘AnalysisofPDD’s“Cleanup”actions’fordetails.“Well,it’sobfuscation,andcertainlymaliciouscodewantstobeobfuscated.Iamnotafanofthisstu!forthereasonsyoustate,buttherearepeoplewhowanttoprotecttheirtradesecretswithobfuscatedcode.I’mnotafan.Combinedwithsomethingabove(loadable,compiledcode)alongwithobfuscation,Ithinkit’saworry.”7)AndroidversionandOEMexploits:TEMU’ssoftwareteamincludesengineerswhowrotePinduoduo’sapp,whichcontainedexploitsforover50Androidsecurityweaknesses,(Link(/2023/04/02/tech/china-pinduoduo-malware-cybersecurity-analysis-intl-hnk/index.html))includingmanywrittenforOEMcustomizationcode,whichissubjecttolesssecuritythanthemainAndroidcodebase.InformationabouttheAndroidversionisqueriedbysystemcalls.8)Debuggerinthehouse.CallsinthecodeincludeaqueryDebug.isDebuggerConnected(),indicatingtotherunningappifadebuggerisengaged.Webelievethisisintendedtoobstructorobscureanalysisoftheapp,andmostlikelytochangeappbehaviorifananalystisinspectingitdynamically.“HUGEred?agtome.Morethananythingelse.Detectingadebuggermeans—well,youdon’twantanyoneelsetoknowwhatcodeyou’rerunning.”9)User’sSystemLogsTEMUappisreferencingsystemsdataoutsidetheboundsofTEMU’sownapp.TEMUseeminglyreadstheuser’ssystemlogs.ThisgivesTEMUtheabilitytotrackuseractionswithotherappsrunningontheuser’sdevice.Forthelesstechnicalreadingthis,thesystemlog?lesprovideexhaustivedetailsonalltheprocessesonthedevice,includingerrors,networkwarningsetc.It’sthedevice’ssecretdiary,withallitsmisstepsandmishapsdetailed.TEMU’scodereferencesthelog?les’addressandoptionsforshellcommands.Theonlyreasontointroducesuchstringsintotheproprietarycodeistogatherthelogdatatoobservetheuser’sactiveusageoftheirdevice.Inaccordancewiththis,TEMU’sapprequestsalistofrunningprocessesusinggetRunningAppProcesses(),whichtogetherwiththelog?lesseemstomaketheappinvestigatetheoveralldevices’activitiesquitethoroughly.TEMUapp’scodecorrespondireferencingtothesystemlog.10)LicenseandRegistration,please.TEMUasksfortheMACaddress,andotherdeviceinformation,andinsertsitintoaJSONobjecttobesenttotheserver.Thisisespeciallyaggressive.Whydoesashoppingappneedadatabaseoftechnicaldetailsoftheircustomers’devices?TheMACaddressisagloballyuniqueidenti?erofanydeviceinanynetwork.Thismeans,inthecommunicationwiththeserver,TEMUcanpotentiallysendinformationandsourcecodetoaspeci?cuseronaspeci?cdevice.referencingthedevice-speci?cMACaddresssTheTEMUappevenreadsandstorestheMACaddress,whichisauniqueandglobalhardcodednetworkidenti?erofadevice.ThisisabigNoNoininternetsecurity.ADistributedDenialofService(DDOS)attackandotherunwantedsecurityprobescouldconceivablybelaunchedagainstadisclosedMACaddress.11)Lookingoveryourshoulderwhileyouuseyoursmartphone.TEMUcallsgetWindow().getDecorView().getRootView(),tomakescreenshotsanditstoresthoseresultsina?le.Screenshotshavebeenusedbeforeasaconvenientwaytospyoncustomers’activities.WhatbusinessofTEMU’sisitwhatotherprogramsanddataareonyourcomputerscreen?“Wellknownabusivething.It’showabusiveappsknowthatyouhavesomeotherappinstalled.Itcanalsobeusedforhackingcredentialsandsoon.…Thisisadanger.Anotherbigred?ag.”12)TheRiggedSpinner:WhenyouclickonaTEMUdisplayadoraGoogle“ProductShowcase”(horizontalscrolling)addisplayedbyGoogleinresponsetoaspeci?csearchterm,yourclickgoestoTEMU,asdoesotherdata,includingwhatproductyouclickedon(manyTEMUadsshowmultipleproducts–seebelow—andwhoknowswhatelse).Theriggedspinneralwaysperformsthesamelittlescript.Italwaysstopson“OneMoreChance”,thenevenifyoutriedtobrowseaway,itstopsonthebrightorangewedgewiththebiggestdiscount…everytime.Ifyou losepatiencewiththislittlecharade,youcan’tclick“X”toexit.Youarecaptive—youhavetoclosethebrowserwindowtogetaway.13)Shieldsdown,LieutenantUhura.Whywouldaserviceproviderintentionallyandarbitrarilylowerencryptionstandards?Onceauserhasgranted?lestoragepermissiontoTEMU,evenbyaccidentorbyvirtueofnotknowingwhatthatisorwhyitmightbeinvitingproblems,(Seepoints3)and3aabove)TEMUwillbeabletoreadandtransmitanyandall?lesontheuser’ssystem,withlittleornoencryption.14)Lights,camera,action!TEMU’sappreferencesaccesstotheusers’cameraandmicrophone,whenevertheappisrunning.Whydoesashoppingappneedaccesstoyourcameraandmicrophone?Theappusesthecameraoccasionally,forexampleforuploadeduserpicturesinthereviewandimagesearchpartsoftheapp.However,duringourtesting,wedidnot?ndanyapplicationfortheRECORD_AUDIOaccess.Recordingaudiowouldobviouslybeaveryexploitablefunctionforpossiblespypurposes.15)ComplexdynamicDNSnaming:WheneveraTEMUusersignsintoaWiFinetwork,theapptriggersaninternetrequesttothestaticIPandreceivesanencryptedstringback.InTEMU’ssourcecodeafunctionDnsCon?gInfo()referencesthisIP,indicatingthattheinternetrequestisrelatedtodynamicnamingofwebaddressesbyTEMU.Thefunction’snamecanalsobeamisleadingmasquerade,ofcourse.OuranalystsquestionedwhythisexchangeisencryptedandwhyTEMUwouldusealayerofapparentlycomplexdynamicnamingdespiteowningstaticIPad