Arizona Attorney General Kris Mayes has filed a landmark lawsuit against Chinese e-commerce giant Temu and its parent company, PDD Holdings Inc., accusing them of massive consumer data theft and privacy violations.
Filed on December 2, 2025, in Maricopa County Superior Court, the suit claims that Temu’s mobile app engages in deceptive practices under the Arizona Consumer Fraud Act by collecting vast amounts of sensitive user data without proper consent.
This marks Arizona as the fourth U.S. state to target Temu, following similar actions by attorneys general in Kentucky, Nebraska, and Arkansas.
The complaint details how Temu’s app requests excessive Android and iOS permissions, far beyond what’s needed for shopping.
It allegedly harvests GPS location data in real time, tracking users to precise locations such as doctors’ offices, public libraries, political rallies, or friends’ homes.
The app also scans and catalogs installed third-party apps on devices, creating detailed behavioral profiles.
Prosecutors highlight Temu’s use of obfuscated code such as dynamic loading of trackers and anti-analysis routines to bypass Apple and Google’s app store security reviews.
This includes embedding SDKs (software development kits) from analytics firms that funnel data to servers in China, evading detection during static scans.
From a cybersecurity perspective, the lawsuit exposes Temu’s aggressive data-exfiltration tactics.
Once installed, the app purportedly activates persistent background services that monitor clipboard content, keystrokes via accessibility features, and even device identifiers such as IMEI and advertising IDs.
Without explicit opt-in, this data streams to PDD servers, potentially totaling gigabytes per user over time.
Experts note similarities to spyware: Temu allegedly employs certificate pinning to block man-in-the-middle attacks and uses HTTPS tunnels to obscure payloads.
A core concern is China’s National Intelligence Law (2017), which mandates that companies like PDD surrender data to the government upon request no warrant required.
This raises fears that U.S. user profiles could be weaponized for espionage or influence operations.
Mayes called it “the gravest violation” of state law, citing risks to personal safety from doxxing or stalking via location histories accurate to within meters.
Temu also faces charges of intellectual property theft, allegedly copying designs from Arizona brands like the Cardinals NFL team and Arizona State University without permission, undercutting local businesses.
Temu dismissed the claims in a Wednesday statement, insisting it provides “quality products at affordable prices” while prioritizing user trust.
The company claims compliance with U.S. privacy laws, such as the CCPA, and points to its privacy policy disclosures.
This case underscores growing scrutiny of Chinese apps amid U.S.-China tech tensions.
Security researchers recommend that users revoke Temu permissions in device settings, delete the app, and scan for residual data using tools like Exodus Privacy.
As litigation advances, it could force app stores to tighten SDK vetting, protecting millions from covert surveillance.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…