- TEMU app software has the full array of characteristics of the most aggressive forms of malware /spyware.
- The app has hidden functions that allow for extensive data exfiltration unbeknown to users, potentially giving bad actors full access to almost all data on customers’ mobile devices.
- It is evident that great efforts were taken to intentionally hide the malicious intent and intrusiveness of the software.
- We engaged numerous independent data security experts to decompile and analyze TEMU app’s code, integrated with experts of our own staff, and analysts who have written independently in the public domain.
- Contributing to the danger of mass data exfiltration is the fast uptake rate of the TEMU app: over 100 million app downloads in the last 9 months, all in U.S. and Europe. TEMU is not offered in China.
- The TEMU app development team includes 100 engineers who built the Pinduoduo app, which earned a suspension from the Google Play Store. ( Link )
- Pinduoduo app got reinstated by removing the “bad parts”, some of which were identically utilized as components of the TEMU app, strongly indicating malicious intent.
- We strongly suspect that TEMU is already, or intends to, illegally sell stolen data from Western country customers to sustain a business model that is otherwise doomed for failure.
- Cheap China shopping apps have previously proven that the business model is simply not sustainably profitable. Wish.com was a prominent case study and Shein an aggressive current competitor. TikTok has announced their entry into the space.
- TEMU is estimated ( Link ) to be losing $30 per order. Its ad spending and shipping costs (1-2 weeks from China, expedited to U.S. delivery) are astronomical. One is left wondering how this business could ever be profitable.
- TEMU is a notoriously bad actor in its industry. We see rampant user manipulation, chain-letter-like affinity scams to drive signups, and overall, the most aggressive and questionable techniques to manipulate large numbers of people to install the app.
- A U.S. Congressional committee has already drafted HR 1153 which would seriously impair TEMU’s business model and/or empower the U.S. President to ban from the U.S.
- Allows the U.S. to punish TEMU for exfiltrating users’ personal data to China without knowledge or permission.
- Slam closed a loophole affording TEMU access to U.S. consumers with a free pass on postage, customs inspections or tariffs. U.S. businesses don’t enjoy symmetrical rights to the Chinese consumer market.
- TEMU is demonstrably more dangerous than TikTok. The app should be removed from the Google and Apple app stores.
- We believe PDD’s financials are notoriously unreliable.
- Even the usually promotional sell side analysts have pointed out that PDD’s accounting is akin to a “Black Box” as disclosure becomes ever more opaque.
- Despite being a company with a market cap of appx $135 billion, PDD has not had a CFO since 2018. The key financial positions are a revolving door. There seems to be no accountability.
- The local audit partners from Ernst&Young Hua Ming LLP are in our judgment untrustworthy and have audited numerous Chinese companies whose shares have proven next to worthless in the past.
- Our analysis shows that PDD might have underreported its employee count to U.S. investors according to their own statements in China. Undercounting employees overstates profitability in reported financials.
- PDD has been reportedly involved in major order brushing scandals, and allegations that 7bn RMB of illicit gambling traffic was laundered routed through PDD’s platform.
- Important operating metrics indicate PDD’s China business is rapidly declining while it loses a fierce battle with competitors such as Alibaba and JD.
- Alibaba’s regulatory issues in China seem to have been resolved in July 2023. Without the burden of regulatory intervention, we see this player taking substantial share from PDD.
- At the same time, JD is increasing its efforts to take market share from PDD and sees first indications of very promising results.
- Multiple data sources in China, as well as Goldman Sachs, have already reported that PDD’s daily average users (DAU) metric is starting to decline more rapidly. The year-over-year decline in DAU for the month of June is over 20%. This seems to us like a fast-deteriorating business.
- PDD is a business that is run for the benefit of insiders rather than shareholders.
- PDD Holdings built a payments platform that it uses. However, management has carved out the entire payments business for itself (the AliPay playbook). We believe management has privately retained the most attractive part of the business for itself.
- A large number of shares are unaccounted for. Billions of USD worth of stock reportedly went “missing”. Some supposedly went to charity and some to venture capital investor. We see this absence of transparency as another red flag.
Part 1: We Believe TEMU is the Most Dangerous App in Wide Circulation
Highly Dangerous Spyware / Malware Characteristics in TEMU app
Analysis of PDD’s app software by multiple experts is showing all the signs of red-flag concern. The calls to outside device data and functions that violate users’ privacy are far more aggressive than any well-known consumer shopping app.
Our experts identified a stack of software functions that are completely inappropriate to and dangerous in this type of software. TEMU uses them all.
Comparison of Security Issues appearing in TEMU and competitive landscape apps. *
Note TEMU shows all 18 threats Red, TikTok ( 10 Green ) and SHEIN ( 9 Green ) are among the least dangerous. The issues for which only TEMU is flagged red (Row 1, 4, 10, 15) are among the most dangerous — and are the most likely to be combined to make actual spyware.
These issues occur in the parts of the code that are proprietary, obscured, and/or from a code library rarely used, poorly programmed by a niche company.
* This analysis was performed on several versions of TEMU up to 1.99, as of August 30, 2023.
We find the android.permission entries referenced in the proprietary parts of the decompiled source code, “Rarely used” libraries being those that aren’t directly from the large trustworthy tech companies mentioned in this statement. It is common practice to only use libraries authored by the big tech firms.
Very selective activation of the most invasive features, or TEMU’s ability to call them on demand from servers in China, or sideload even more invasive behavior into updates or dynamic (runtime) compilation, is all looming in the risk profile of the installed TEMU app.
Where does all that exfiltrated data wind up? China has implemented a law requiring:
“The state shall protect individuals and organizations that support, cooperate with, and collaborate in national intelligence work.”
Chinese companies can only operate if their entire databases are accessible to Chinese government agencies. ( Link ) In particular, the Chinese military has been closely tied for over a decade to Chinese-based hacking against the U.S. ( Link )
With trade, defense, and technology tensions between the U.S. and China looming, there is every reason to anticipate that the Chinese State’s would have interest in a company’s ability to exfiltrate a user’s location within 10 feet, plus highly personal data belonging to “parties of interest”: U.S. government employees, members of the U.S. military, police and security officers, university research employees, Chinese expats, plus members of oppressed minorities who might have family members who are TEMU customers in any Western country. Of course, the Chinese State Security apparatus has an interest in text messages to and from any U.S. citizens who communicate with them. Buying patterns, combined with geo-location and personal data, might reveal actionable intelligence about any of us. When you think about the possibilities of our political alignments being assessed and manipulated by a foreign country running our smartphone data through its AI engines, the risks become not only tangible, but magnified.
We believe many U.S. legislators already think these risks are unacceptably high, with no chance of a fair reciprocal opportunity for U.S. firms to operate like this in China. (This is not a liberal vs. conservative gridlocked issue. Legislators from both sides of the aisle are engaged in these issues right now.)
Congress is already involved. They just need to figure out that TikTok isn’t the worst threat we face: TEMU is!
HR 1153 is already before Congress, but most everyone thinks it’s about banning TikTok! Read on!
HR 1153 says, in part: The Department of the Treasury can issue a directive prohibiting U.S. persons from engaging in any transaction with any person who knowingly provides or may transfer sensitive personal data subject to U.S. jurisdiction to any foreign person subject to Chinese influence.
The bill also establishes new sanctions on certain transactions related to connected software applications. For example, the President must impose a sanction on any foreign person that knowingly operates, directs, or deals in a connected software application that is subject to the jurisdiction of China and is reasonably believed to have been or may be used to facilitate or contribute to China’s military, intelligence, censorship, surveillance, cyber, or information campaigns.
It’s widely assumed by security experts and politicians that any user data acquired by a Chinese company winds up in databases accessible to Chinese Security Services. But we’re about to show you why TEMU’s apps are much more dangerous than anything TikTok might be doing.
There is strong evidence that elements of Pinduoduo’s recently suspended (and subsequently reinstated) flagship app are in place in PDD’s TEMU app.
Pinduoduo’s malware was not a fringe or circumstantial effort. PDD recruited and hired a team of 100 programmers to find and exploit OEM customizations of Android (installed on mainstream brands of low-priced smartphones), intending to exploit vulnerabilities audited less often than the mainline Android codebase (estimates of over 50 such vulnerabilities were targeted). As reported by CNN, ( Link ) one of PDD’s strategies was to run this software only in small towns and other rural, less developed areas of China, avoiding Beijing and Shanghai, to evade detection during development.
“We haven’t seen a mainstream app like this trying to escalate their privileges to gain access to things they’re not supposed to gain access to. It’s pretty unusual, and it is pretty damning for Pinduoduo”
– Mikko Hyppὃnen, cybersecurity expert.
“I’ve never seen anything like this before. It’s super-expansive.”
—Sergey Toshin, Android Security Expert, founder of Oversecured
On March 21, 2023, Google announced suspension of the Google Play Store version of PDD’s Pinduoduo app due to security concerns, after malware issues were found on versions outside of Google’s own Play Store. (Although malware is common enough on App Stores, installing “sideloaded” apps is always an even riskier practice.)
After Google’s Play Store suspended Pinduoduo, parent PDD made a big show of issuing a Pinduoduo update, purportedly removing the malware (see our tech discussion of this sudden change, and what we learned from it, below). Pinduoduo disbanded and “fired” the team responsible for the malware. But that was for show. Of course, they were immediately all hired by PDD’s other company, TEMU, and “reassigned”. (Same Link , same CNN story as linked above.)
App Software Analysis and Expert Quotes
Like any probe searching for malware / spyware, our analysis begins with a search for aggressive, potentially invasive system calls that would be components of executing code that have the power to exfiltrate inappropriate user information that violates app store policies, and invades user’s privacy. Specific attention is drawn to software execution whose intent is to hide or obfuscate malign actions from analysts and/or automated security scans.
This section is technical because malware / spyware creation and detection is a cat-and-mouse game conducted by software engineers.
These are some of the security issues found in TEMU’s app:
1) Dynamic compilation using runtime.exec(). A cryptically named function in the source code calls for “package compile”, using runtime.exec(). This means a new program is created by the app itself.—Compiling is the process of creating a computer executable from a human-readable code. The executable created by this function is not visible to security scans before or during installation of the app, or even with elaborate penetration testing. Therefore, TEMU’s app could have passed all the tests for approval into Google’s Play Store, despite having an open door built in for an unbounded use of exploitative methods. The local compilation even allows the software to make use of other data on the device that itself could have been created dynamically and with information from TEMU’s servers.
“That’s bad. That’s really bad, because if they are locally compiling packages, then they can literally do anything they want at any time. It means that you can’t analyze because the system is truly dynamic.”
This feature alone is a “wild card” that looms over most specific risks of malware. It’s like debating who has the most keys to break into a building, when you hold the master key in your hand. Put another way, if all the rest of the objectionable code was removed, while this one backdoor went undetected due to its concealment, the app could become just as malignant, by changing its behavior, controlled by foreign servers, in almost all possible ways and reactive to all future developments of the app, the regulations and all other possible influences. For example, TEMU can potentially send source code, encrypted and masquerading as any unsuspicious piece of data, which is then compiled into an executable on the client’s phone.
TEMU app code corresponding to Row 1 of Security Issues table above,
executing dynamic compiling using runtime.exec().
2) We find the android.permission entries referenced in the proprietary parts of the decompiled source code, excluding occurrences in widely used and secure standard libraries by Android, Google, Facebook, PayPal and Klarna. Why would the proprietary source code reference these permissions, if it doesn’t have the option to use them in specific scenarios? Most importantly, many of these permissions in TEMU’s source code are not listed in their Android Manifest file, which is the standardized overview source for an app. For scrutinizing permission, the Android Manifest file is the first source to check permissions. Not mentioned in the Android manifest are the permission requests for CAMERA, RECORD_AUDIO, WRITE_EXTERNAL_STORAGE, INSTALL_PACKAGES, and ACCESS_FINE_LOCATION. It is not a coincidence that these permissions are the most intrusive ones when it comes to spying potential. For comparison, all the other apps listed in the cohort table enumerate all of these permissions in their Android Manifest, if they use them at all. The only exception is ACCESS_FINE_LOCATION by TikTok.
3) TEMU queries information related to files, and not just its own files, but wants information on all files on the user’s device by referencing “EXTERNAL_STORAGE”, superuser rights and log files. In other words, depending on the specific Android version, the app can be used to read, process and modify all user and system data: chat logs, images, user content on other apps and so on.
3a) The app includes file upload functionality that is based on a command server connected to their API ‘us.temu.com’. This means that once a user grants file storage permission to the TEMU app – even unwittingly – TEMU will be able to remotely collect any and all files from the user’s device and send them to their own servers. Ditto for any other privacy-intruding permission.
NOTE: Many if not all users are typically fatigued and impatient when faced by app installation dialog boxes, when they do not understand the consequences. TEMU, like other major shopping apps including Amazon, Ebay and many others, apparently gains access to the user’s file system and their geographic location at one time or another, during installation or operation. We estimate that fewer than 10% of users will be aware enough to refuse to grant these permissions to an app that has its programming team and main servers in China.
But for most users, it’s just a checkbox, and once it’s done, it’s forgotten. It’s like going on a long vacation and leaving the safe in your home unlocked and open. More on this later.
3b) Slipping in permissions requests with big consequences. Here’s how this works. The TEMU app doesn’t ask aggressively for a lot of permissions when you first install it. But, for example, once you learn you can post a picture and TEMU can search its listings for a similar item on offer, you might want to try that engaging feature.
Search for an item like a photo, and TEMU asks for location permission.
So you upload a photo of a shirt. TEMU throws you an ordinary Android screen that requests permission for Precise or Approximate location. (Notice how it defaults to “Precise”.) Because of the context — remember you were just trying to upload a photo from your camera — you assume you’re being asked for permission to post your location to the photos you take while in the TEMU app. So you click ‘While using the app’ and go on about your merry way. Now you can look for a metallic blue computer mouse for $3.00 or a beach shirt like the cool photo on your screen for under $4.00. Great!
How would you know that you’ve just granted TEMU access to your location within 10 feet whenever you use TEMU’s app? (Not just when you take a photo?) Why did TEMU even ask for that permission at that point? Good question!
You see, there is no specific permission to grant “Precise” location to your camera. In this case, you have just granted “Precise” location permission (FINE_PERMISSION) to your phone, whenever you are using the TEMU app.
You wouldn’t suspect that the TEMU app contains a full stack of malware / spyware tools to do just about anything it wants with your phone and get nearly anything stored on it sent to its own servers in the background. And it masks its intentions because software that violates your privacy is generally not permitted to be posted for distribution in Google’s Play Store or Apple’s App Store.
Grant TEMU an innocuous looking permissions request, and you’ve just given away the electronic version of your house keys, your car keys, and the combination to your safe, your keys to your file drawers, your photo storage, etc., etc., … all of it.
4) Location, location, location. Android implemented the system function ACCESS_COARSE_LOCATION specifically so apps could acquire some reasonable level of location data without compromising users’ privacy. But does TEMU use that? Noooo! As you see from our app comparison table above, TEMU gets its hands on ACCESS_FINE_LOCATION, to find out where you are within 10 feet or so, a query so intrusive that the Android team itself does everything it can to discourage the use of ACCESS_FINE_LOCATION except when absolutely needed for core app functionality (such as a map app). ( Link )
Can TEMU ascertain your exact location right now, you ask? From what we see, only when the TEMU app is running. Beyond that, unfortunately, our security experts can’t tell you. It depends … on what version of Android you are running, on the permissions you’ve granted to the TEMU app, and whether you’re connected to one or more cell towers right now.
Here TEMU’s app code references ACCESS_FINE_LOCATION — considered intrusive by developers unless specifically needed for core functionality.
We hope this example helps clarify the personal urgency we feel as we share these discoveries.
5) “Root” access. TEMU checks if a device has “root” access. With root access, the user and the TEMU app are able to read, modify and write not only user files, but all files on the device, including all the programming of other apps and the operating system. TEMU could theoretically brick any device where the user has “root” access and TEMU has file writing permissions. Maximum danger!
6) Encryption, decryption and shifting integer signals libraries are in prior versions of Pinduoduo and TEMU apps. The only purpose of this is obscuration of malicious intent. PDD very quickly removed this component in both apps when caught by Google in Pinduoduo. Before / after analysis of this sudden change to Pinduoduo’s and TEMU’s codebase reveals additional conclusions. See section ‘Analysis of PDD’s “Cleanup” actions’ for details.
“Well, it’s obfuscation, and certainly malicious code wants to be obfuscated. I am not a fan of this stuff for the reasons you state, but there are people who want to protect their trade secrets with obfuscated code. I’m not a fan. Combined with something above (loadable, compiled code) along with obfuscation, I think it’s a worry.”
7) Android version and OEM exploits: TEMU’s software team includes engineers who wrote Pinduoduo’s app, which contained exploits for over 50 Android security weaknesses, ( Link ) including many written for OEM customization code, which is subject to less security than the main Android code base. Information about the Android version is queried by system calls.
8) Debugger in the house. Calls in the code include a query Debug.isDebuggerConnected(), indicating to the running app if a debugger is engaged. We believe this is intended to obstruct or obscure analysis of the app, and most likely to change app behavior if an analyst is inspecting it dynamically.
“HUGE red flag to me. More than anything else. Detecting a debugger means — well, you don’t want anyone else to know what code you’re running. ”
9) User’s System Logs TEMU app is referencing systems data outside the bounds of TEMU’s own app. TEMU seemingly reads the user’s system logs. This gives TEMU the ability to track user actions with other apps running on the user’s device.
For the less technical reading this, the system log files provide exhaustive details on all the processes on the device, including errors, network warnings etc. It’s the device’s secret diary, with all its missteps and mishaps detailed. TEMU’s code references the log files’ address and options for shell commands. The only reason to introduce such strings into the proprietary code is to gather the log data to observe the user’s active usage of their device. In accordance with this, TEMU’s app requests a list of running processes using getRunningAppProcesses(), which together with the log files seems to make the app investigate the overall devices’ activities quite thoroughly.
TEMU app’s code corresponding to Row 4 of Security Issues table
referencing to the system log.
10) License and Registration, please. TEMU asks for the MAC address, and other device information, and inserts it into a JSON object to be sent to the server. This is especially aggressive. Why does a shopping app need a database of technical details of their customers’ devices? The MAC address is a globally unique identifier of any device in any network. This means, in the communication with the server, TEMU can potentially send information and source code to a specific user on a specific device.
TEMU app’s code corresponding to Row 10 of Security Issues table,
referencing the device-specific MAC address stored in a JSON object.
The TEMU app even reads and stores the MAC address, which is a unique and global hardcoded network identifier of a device. This is a big No No in internet security. A Distributed Denial of Service (DDOS) attack and other unwanted security probes could conceivably be launched against a disclosed MAC address.
11) Looking over your shoulder while you use your smartphone.
TEMU calls getWindow().getDecorView().getRootView(), to make screenshots and it stores those results in a file. Screenshots have been used before as a convenient way to spy on customers’ activities. What business of TEMU’s is it what other programs and data are on your computer screen?
“Well known abusive thing. It’s how abusive apps know that you have some other app installed. It can also be used for hacking credentials and so on. … This is a danger. Another big red flag.”
12) The Rigged Spinner: When you click on a TEMU display ad or a Google “Product Showcase” (horizontal scrolling) ad displayed by Google in response to a specific search term, your click goes to TEMU, as does other data, including what product you clicked on (many TEMU ads show multiple products –see below — and who knows what else). The rigged spinner always performs the same little script. It always stops on “One More Chance”, then even if you tried to browse away, it stops on the bright orange wedge with the biggest discount…every time. If you lose patience with this little charade, you can’t click “X” to exit. You are captive — you have to close the browser window to get away.
13) Shields down, Lieutenant Uhura. Why would a service provider intentionally and arbitrarily lower encryption standards? Once a user has granted file storage permission to TEMU, even by accident or by virtue of not knowing what that is or why it might be inviting problems, (See points 3) and 3a above) TEMU will be able to read and transmit any and all files on the user’s system, with little or no encryption.
14) Lights, camera, action! TEMU’s app references access to the users’ camera and microphone, whenever the app is running. Why does a shopping app need access to your camera and microphone? The app uses the camera occasionally, for example for uploaded user pictures in the review and image search parts of the app. However, during our testing, we did not find any application for the RECORD_AUDIO access. Recording audio would obviously be a very exploitable function for possible spy purposes.
15) Complex dynamic DNS naming: Whenever a TEMU user signs into a WiFi network, the app triggers an internet request to the static IP 126.96.36.199 and receives an encrypted string back. In TEMU’s source code a function DnsConfigInfo() references this IP, indicating that the internet request is related to dynamic naming of web addresses by TEMU. The function’s name can also be a misleading masquerade, of course. Our analysts questioned why this exchange is encrypted and why TEMU would use a layer of apparently complex dynamic naming despite owning static IP addresses in the U.S.
“There are reasons to obscure your code, look at DNS servers, etc. and if they were the only suspicious things we found, we’d not be writing this report. However, in a constellation with other things, we are concerned.”
We must ask if this is an instance of IP tunneling, IP fronting, or TEMU otherwise establishing a “private” connection to a server other than temu.com? Our experts cannot see a rationale for a shopping app needing to do this. The location of the server at the ultimate end of this IP connection remains unknown. (There might be intermediate “hops” to conceal its location.)
Do you wonder if your own personal data has passed through the portal created by this code? Or your children’s or friends’ data? Only TEMU knows. It seems unlikely that TEMU will reveal what is happening to U.S. customer data without a subpoena.
Grizzly Research: So when all these pieces are considered, how likely do you think that this is malware/spyware? And is this a sign of intentional effort to evade App Store security scans?
“Yes. Absolutely yes”
Additionally, one analyst reported that “TEMU sends a lot of detailed user and system data elements as soon as the app is loaded”. The user’s system gets queried in detail, so all that information is available to send to TEMU servers. (As noted above, this includes the device’s unique MAC address.) No user permission is required to gather any of this category of information.
Accountability, anyone? When a subpoena is served upon TEMU U.S., we question whether TEMU’s “Boston headquarters” is prepared to stand as a point of accountability with regard to U.S. laws. This office would be expected to be a valid U.S. point of service for TEMU U.S. operations, and having announced a “U.S. Headquarters” establishes venue for civil actions. By contrast, suing a Chinese company which sits behind a Cayman Islands VIE has no chance of traction.
As established by CNN’s reporting, the team responsible for the malign code is not based in Boston or Dublin. It is in Shanghai.
Taken individually, many of these system calls might be written off to “programmer sloppiness”, or “Some other apps do this”. But taken together, in the hands of an experienced spyware building team, these calls provide a complete arsenal of tools to exfiltrate virtually all the private data on a user’s device and perform nearly any malign action upon command trigger from a remote server.
What’s Behind the Curtain of Secrecy?
Our analysts also note indications of at least two extraordinary clues in the software that reflect the app engineers’ strong intention to purposefully cloak and obscure what the app actually performs when it is executing. These are:
Encrypt, decrypt or shift integer signals — technology that obscures the source code and system calls, so that the intrusive and dangerous calls are harder to detect when the App Store performs its security scans. Pinduoduo had such a proprietary functions library in a separate module when it was caught by Google. But it quickly removed it from both apps to get reinstated. That team now works for TEMU. ( Link ) So the expertise and experience is there. See details in the next section.
runtime.exec() — Row 1 on the security issue comparative apps table above, 1) on our list above, and one of the “holy grail” techniques of malware, is a stealthy method to get compiled code onto the user’s system at runtime that has not been seen by any security detection scans. With runtime,exec(), the recipe for the malicious code could be directed from information stored on a connected server onto the app, and “cooked to order” into an executable segment on the user’s device just when it is needed to do something invasive – and delivered this way because the software engineer who wrote it intended it to be undetectable.
Based on these findings, the numerous experts Grizzly Research contracted with all concluded that the TEMU app is very virulent malware / spyware.
An analysis of the affected version’s pinduoduo-6-49-0.apk source code on GitHub summarizes: “you can find multiple exploit codes for privilege escalation for different [Android] mobile phone manufacturers’ systems.”
The Swiss cyber security company Joe Security LLC ( Link ) provides a “Deep Malware Analysis” tool JoeSandbox with a specific application for Android apps. As expected, JoeSandbox shows the following analysis result for pinduoduo-6-49-0.apk:
Mirroring the comments on the source code analysis on GitHub, malicious parts were found in the categories Spyware, Evader and Exploiter.
Pinduoduo’s app (pinduoduo-6-49-0) scores a “MALICIOUS” 64/100. For comparison, Ebay’s Android app scores 18/100 at JoeSandbox and is categorized as “CLEAN”.
We found in the GitHub database an analysis of the package “com-einnovation-temu1680926400.apk”, executed on April 21, 2023. The name does not fit TEMU’s naming convention, but the analyzed file has the exact same size in byte and an identical MD5 hash as TEMU’s app version 1.61.1 for Android (“TEMU_ Shop Like a Billionaire_1.61.1_Apkpure.apk”, published on April 14, 2023).
JoeSandbox scores TEMU’s app with 68/100, which is even more “MALICIOUS” than the suspended pinduoduo-6-49-0 app.
Analysis of PDD’s “Cleanup” actions when its flagship app Pinduoduo was suspended by Google Play Store
The Big “Cleanup” at TEMU after Google’s Pinduoduo Suspension
After Pinduoduo’s suspension by Google on March 21, 2023, the company was forced to provide a rapid cleanup of its app to earn reinstatement into Google’s Play Store. Therefore, many files in the respective APK packages have been changed or removed when comparing the affected version pinduoduo-6-49-0 to the version that replaced it. Without explanation, identical files were concurrently removed from TEMU’s app.
The Pinduoduo and TEMU Apps are Apparently Still Malicious Even After the Post-20-March 2023 Updates
Google’s Suspension of Pinduoduo app, version 6.49, followed in-depth discussions of back-engineering and probably even leaked source code, as this analysis from March 10, 2023, shows. The analysis specifically points to a file AliveBaseAbility/vmp_src/mw1.bin in pinduoduo-6-49.0\assets\component\com.xunmeng.pinduoduo.AliveBaseAbility.7z, which has been removed from the succeeding versions. However, this does not provide 100% security that the app still isn’t malicious. A JoeSandbox analysis of PDD version 6.50.3 of March 21, 2023 indicates issues that are still consistent with the TEMU 1.61.1 analysis above regarding the metrics Spyware, Evader and Exploiter.
In accordance with these results, the malware statistics service VirusTotal.com registers PDD’s app as still “MALICIOUS”. Further, 3 security vendors flagged malware for version 6.49., 9 security vendors flagged malware for version 6.50.3, and 3 security vendors flagged malware for version 6.53.0. The vendor ESET-NOD32 even flagged PDD version 6.49.0 with “A Variant Of Android/Pinduo.A”, and version 6.53.0 with “A Variant Of Android/Pinduo.B”, clearly identifying that PDD updated their malware to slip through Google’s checkpoint instead of removing its malicious intent and structure.
Is it credible that Google allows malicious apps back on their Play Store? Of course, it is. Over the last years, Google’s mechanisms repeatedly failed to flag and ban malware. Competent analysts have written about the issue extensively, for example at ZDNET, Lifewire, kaspersky, and Wired. In reality, malware developers are often one step ahead until they are caught by tech analysts after release; Google often only reacts after specific problems have been highlighted by third-party analysts.
From this we can infer that the same fears of being suspended guided a clean-up in TEMU’s app development. We list files that have simultaneously been removed in Pinduoduo’s app and in TEMU’s app around March 21, 2023.
Comparison of APK packages: pinduoduo 6.49.0 (23-Feb-2023), pinduoduo 6.53.0 (29-Mar-2023), TEMU 1.55.0 (17-Mar-2023), TEMU 1.58.1 (6-Apr-2023). We chose the versions due to publishing date and availability.
Deleted File lib/armeabi-v7a/libmanwe-lib.so
Libmanwe-lib.so is a library file in machine language (compiled). A Google search reveals that it is exclusively mentioned in the context of PDD software—all five search results refer to PDD’s apps. According to this discussion on GitHub, “the malicious code of PDD is protected by two sets of VMPs (manwe, nvwa)”. Libmanwe is the library to use manwe.
An anonymous user uploaded a decompiled version of libmanwe-lib to GitHub. It reads like it is a list of methods to encrypt, decrypt or shift integer signals, which fits the above description as a VMP for the sake of hiding a program’s purpose.
In plain words, TEMU’s app employed a PDD proprietary measure to hide malicious code in an opaque bubble within the application’s executables.
Deleted File assets/building_bin/check.bin
This file is only available in a fully compiled form. The versions in the two apps differ but are not small with 82kB to 102kB. We cannot make more definitive statements about its content without the source code. However, we believe, given the findings about Pinduoduo 6.49.0 and the removal from both apps, the file could reveal further evidence of malware or protection mechanisms thereof.
At some point, investigative research hits a wall that it takes a subpoena to pierce. Various U.S. Government agencies have the expertise and legal authority to shine a light on this dark corner of internet stealth.
Latest findings: TEMU on Android compared to Amazon’s App
According to our own standard penetration analysis of TEMU’s app (TEMU 1.73.0) as compared to Amazon’s latest app version
- Base config is insecurely configured to permit clear text traffic to all domains. (Amazon: Base config is configured to disallow clear text traffic to all domains)
- Weak Encryption algorithm used.
- Remote WebView debugging is enabled.
- The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.
TEMU on iOS
MobSF – iOS Static Analysis Report
At least four major threat issues were detected:
- App Transport Security restrictions are disabled for all network connections. Disabling ATS means that unsecured HTTP connections are allowed. HTTPS connections are also allowed, and are still subject to default server trust evaluation. However, extended security checks like requiring a minimum Transport Layer Security (TLS) protocol version—are disabled.
- Binary makes use of insecure API(s).
- Binary makes use of the insecure Random function(s).
- Binary makes use of malloc function.
More on Intentional Obfuscation
The app package (com.einnovation.temu 1.80.4) decompiles into 21,727 JAVA files in a complex tree of 4,322 folders. 1,940 of these folders and 8,681 of the JAVA files are packed for distribution with machine-generated names to thwart analysis. These folders and files are only accessible with an arbitrary name of random assigned letters assigned by the decompiler. The same holds for the classes and functions in which we found the code we suspect is malicious. These cryptically named files, folders, classes and functions cross-reference each other in a highly complex way. Thus, it is practically impossible for a human to read the decompiled code, and we believe TEMU uses additional tools in the compiling process to create this obfuscation. The most outstanding indicator for TEMU’s code obfuscation is the top-level view of the JAVA source after decompiling. Looking at TEMU, an analyst is directly greeted with 1,808 cryptically named folders. For comparison, Amazon and Ebay pack almost all JAVA files and folders for Android apps with human-readable names. With Amazon we only see one cryptically named folder on the top level, and for Ebay’s app it’s three.
Vanishing Codebase from APK Archives
Many websites archive APK’s published in Google‘s Play Store. However, TEMU’s app seems to have disappeared from many of these archives, in particular almost all with Google Page Rank of 6 or higher that appear on the top of Google searches. The TEMU APKs are removed from all websites with U.S. jurisdiction, indicating that legal measures by TEMU could be behind the exclusion from the web archives. Inaccessibility of the APK files makes malware research more cumbersome.
Were these websites pressured by TEMU’s attorneys to remove TEMU’s APK files? This is yet another observation supporting the conclusion that TEMU is hiding something.
An entry is “yes”, if at least one major app of these providers is available. This overview is from September 3rd, 2023. A “yes” in a grey box denotes outdated file versions. Traffic numbers for June 2023 by SimilarWeb. Google Page Rank by CheckPageRank.net.
*The website had other APKs by anonymous publishers falsely named “TEMU”
“I have been into mobile development, and then mobile reverse engineering and in my long expertise in the domain, I have never seen an apk with 50 million + downloads holding such an amount of user privacy red flags. The application looks like a clear data miner to me, aka a :Spyware, and a dangerous one.”
“There could be a well-hidden function that may trigger the assault, it could even not be present at the code for the moment, not until the next dynamic update.”
“Things like location data to me definitely raises a flag for me because I am not envisioning a lot of legitimate uses for it. And I know that selling location data is a big side business. So if they were doing something like monetizing the data of the people who use their app as a way to get further revenue, that’s the sort of thing that they would want to have. And it doesn’t even have a cover for how it benefits the end user.”
“If they’re storing [or transmitting] that data where Chinese authorities could get to it, then the chance for you as an investor that your completely reasonable [U.S.] investment would blow up over something stupid like that is, is relatively high.”
“Personal data sales is a huge business and it is very shadowy. We don’t know an awful lot about what these data brokers are doing and in numerous cases, the data brokers are doing things that are gray areas with regard to legality. As an example of this, two or three years ago, the CEO of the Vizio television talked about how the data that they monetize from the smart televisions that they sell allows them to sell the television at appx $50 cheaper.”
“It looks like they are doing things like trying to hide from an analyst what they are doing. They’re checking for a debugger running … you know they’re getting the running processes … but there’s the indication that they are looking for an analyst and which is the sort of thing that spyware would do so I think you’ve got something there.”
“I intercepted http traffic sent by the app, the first anomaly I noticed was the amount of data being sent as soon as you launch the app. This system information should not be disclosed, this is a clear violation of the user’s privacy. And I really don’t see what a ‘shopping’ app would do with the user’s operating processes… let alone his phone’s serial number.”
…”the file upload functionality, which was based on a command server connected to their API ‘xxxx.yyyyyy.zzzzzz.com’. This basically means that if a user grants file storage permission to the TEMU app — even by accident–, TEMU will be able to collect any file from the user’s device to their own servers, any file, including photos, private documents and more.”
Above are the broad array of findings that support our opinion that the TEMU app is purposefully and intentionally loaded with tools to execute virulent and dangerous malware and spyware activities on user devices which have downloaded and installed the TEMU app.
TEMU has laid an extensive software foundation to recklessly plunder its customers’ data. Our staff analysis, verified by numerous expert confirmations, both proprietary experts we hired, plus those independently published in the public domain, find malware, spyware, and several levels of exceptionally threatening software behavior. So in exchange for that super low, too-good-to-be-true price on some gadget, we warn you that TEMU is able to hack your phone from the moment you install the app, overriding the data privacy settings you think you have in place, as well as your intentions, helping itself to your contact list, your precise location, in some cases, control of your camera, screenshots of the apps running on your screen, and, depending on the permissions you may have given when you installed the app, your SMS text messages and other documents you may have on your phone.
Further, the TEMU app is engineered to hide its intentions and cloak detection of its invasive capabilities.
Your personal data — much more than you ever assumed — is resold indiscriminately for marketing purposes, and in all probability available to Chinese Security authorities for data mining purposes. Chinese Government security agents or their AI computers might be looking at what products you or your family buy on TEMU as a source of leverage, influence, manipulation, “cross-border remote justice”, surveillance, or more.
Remember that China was recently discovered to be operating clandestine police stations in New York City and Missouri, up to 7 “OCSC” service centers in U.S. cities, and other centers of Chinese enforcement in other countries. ( Link ) China’s ability to enforce and support “cross-border remote justice” is a legitimate security concern of the U.S. Government, whichever side of the aisle you identify with.
Given that the prize of its desperate grab for U.S. app installs can only be to monetize the U.S. consumer data it so persistently seeks, we are raising concerns about the potential for these forces to all converge just in time for the 2024 election season. China’s State Security apparatus simply has too much to gain in this contest.
The trove of cross-referenceable private personal data vulnerable to exfiltration by TEMU’s aggressive malware/ spyware needs to be investigated by those we rely on to keep us safe. We can’t rely on China’s Security establishment to play by our rules.
The Malware / Spyware Engineering Cat-and-Mouse Game
We anticipate that upon public release of this report, TEMU’s software engineers tasked with cloaking their most invasive features will be immediately ordered to “address” all these issues. We anticipate a rapid update.
However, we anticipate the main focus of that update will not be to clean their software of malware / spyware features, and make their code base transparent to security audit! We anticipate they will instead up their game, trying to cloak all of the malign code that this report was able to detect and document.
So the most intriguing question is not whether TEMU’s app is suspended from the Google Play Store and/or Apple’s App Store. The far more interesting question is, if suspended, whether and when it will be reinstated, and what the new capabilities of the app actually are.
And that begs the question of what PDD is going to do with every piece of user data they are exfiltrating right now. The company has to decide whether it will choose the path of transparency and voluntary submission to App Store guidelines or U.S. government subpoenas. And how will Google and Apple, two of the largest and most influential corporations on the planet, position themselves vis-à-vis their economic interests, and their fiduciary role to protect their users.
To put it in the plainest possible language, if PDD is running the world’s largest online five-and-dime, and is completely convinced beyond all doubt it is such a great business that it is worth investing billions to sustain losses while growing a user base and building a platform, why would they risk it all? Bundling their playful shopping app with aggressive and intentionally sneaky and clandestine malware? It’s not like there are dozens of other App Store portals they can sign up with. If Google and Apple app stores refuse to admit them, their primary access point to their Western customers is barred and locked overnight, and with that their business model for the entire enterprise. If this is not about selling your data, how do you explain it?
TEMU is Also Screwing Its Customers and Vendors in Many Ways
TEMU is designed to sell you something … anything … because it’s “cheap”… at a huge loss. Ask yourself “Why?”
PDD’s TEMU online marketplace is being reported as among the fastest uptaken apps in history. The bait? Insanely low prices. (94% off! Wireless earbuds $3.70! Eyebrow pencil $0.59! ) Is it that U.S. customers don’t care if they get defective products, or something that doesn’t even resemble what was advertised? Meanwhile the company is spending $30 per order ( Link ) to sign us all up and sell us something…but most of all it wants you to download the app! And we’ve explained why! For a humorous but insightful take on this topic, as well as “free shipping”, see YouTube ( Link ).
“One more chance” spinning wheels, 90% discounts, and three-card monte for gift certificates… when you haven’t even bought anything yet.
TEMU runs a persistent, aggressive affinity scam
Refer your friends, get stuff free! What’s better than free? Give your email or cell phone number to TEMU and you’ll get aggressively recruited to the affinity scam.
Curious minds wonder what the buyer loyalty or return order metrics show, once the cheap stuff finally arrives. Consumer interest in businesses like this can rise and fall rapidly. Oh, the company doesn’t disclose those numbers. More on this later.
Meanwhile, once you give TEMU your personal information, you will be repeatedly spammed, hounded, nagged, and bribed to get your friends and family to give TEMU their personal information. When users fall down this rabbit hole, (getting that Nintendo Switch absolutely free) TEMU sends a torrent of popup sequences milking users for “just one more contact”. Of course, the goalposts keep shifting. There are now literally thousands of so-called “influencers” hawking TEMU referrals on Reddit, YouTube, TikTok, and also Minecraft, Roblox, Discord, and … the pitch is: “You don’t have to buy anything, just sign up!”
“Those who do register are subjected to a bombardment of emails and app notifications (a slew of text messages drove one disgruntled consumer to sue the company in May, claiming it amounted to being harassed).” — The Telegraph ( Link )
If you dare, go ahead and join the fools parade into this MLM gold rush gone viral! The only problem now is the pool of people left to “refer” is dwindling, and people are getting sick of being solicited. TEMU recruitment is like a chain letter — just another unsustainable scheme for quick numbers that don’t result in actual customers in a sustainable business. Once your own experiences turn negative, you’ll regret having gotten your friends and family involved.
An entertaining YouTube exposing the whole scheme awaits you here: ( Link )
Social media influencers are mass-spammed with cash payment inducements.
If you have a social media presence, TEMU will figure that out and will start to spam you — every day — to induce you to create videos promoting TEMU, for which they promise to pay. Watch out — that promise will morph into a promise of “free stuff”. How many wannabe “influencers” are producing “haul” TikTok videos right now because they’ve been recruited into this bogus affinity scheme? For an entertaining YouTube video on this topic… “Sign up your kids, your husband, your neighbor, anybody at school if you go to school … “ Draw your own conclusions. ( Link )
TEMU “reviews” are likely rigged and not believable.
TEMU also compensates users to write reviews. If you look at the IOS app store right now, every single review –both positive and negative — is a full screen of text in length. This is weird — simply not what a normal review page looks like. We all look at volunteered reviews for one thing or another. Some are a paragraph, others a few words or key points, or just a single pithy complaint. Somewhere, somehow, TEMU is giving away something to incent review length.
See the review below — a scathingly negative one — that calls out illegal activity — in the reviews of the products themselves, pointing out how the star ratings on reviews are obviously skewed positive, and many displayed reviews are clearly for other products. Yet, this review has earned TEMU 5 stars! It also gets a lengthy if vapid “developer response”. It’s clear the entire world of TEMU “consumer reviews” is rigged. There are no doubt crossovers between TEMU’s overly aggressive recruitment of ”influencers”, the positive “haul” videos on TikTok and YouTube, and the review content. Caveat emptor!
From IOS App Store July 9, 2023.
Obviously, every TEMU review anywhere is suspect. This was the first one displaying on the App Store the date we looked. How did it get five stars despite being a total gut of TEMU? How many of the YouTube “haul” videos, the comments on those, the App Store reviews, the product page reviews, are all at the hands of the army of recruited “influencers”. Don’t worry, by next year, TEMU won’t have to bear those “influencer” costs any longer. AI will generate all these reviews for cheap!
This one, the reviewer begs for his “referral brownie points” in the first line. Do you think his review is even remotely “objective”? And his website is registered to a Russian “private identity” agency, so we’re not recommending you use their “services”…
TEMU website and app will constantly display pop-up inducements, which track you.
Your behavior will be categorized and siloed. If these kinds of inducements exert an addictive pull on your brain, AI pattern recognition will guarantee you will see a lot more of them. If you are on the TEMU website, all the most persistent inducements are pointed towards getting you to install the TEMU app.
TEMU ads are designed to profile and silo you.
TEMU’s ads are designed to enable profiling and tracking people. Notice the ad with tight shapely dress and AR-15 and sniper rifle charm bracelet baubles:
TEMU products as shipped often do not resemble the photos.
TEMU’s products may be too small and too cheap to bother to return
Only the first item in an order qualifies for a free return. Other returns bear service charges and more complexity. If you’ve been induced into a multiple-item order, you’ll probably just punt on the cheaper stuff. TEMU wins, you lose.
TEMU blames customers for ordering unmerchantable items
Commerce in the U.S. is covered by a law called the UCC uniform code that broadly protects buyers under a code of an implied warranty for “merchantability and fitness”. TEMU’s headquarters is in Boston. But it seems in practice rather cumbersome to get the company to abide by that law. ( Link ).
… which drives vendors to resort to child and forced labor ( Link )
… which turns a blind eye on vendors who, driven by extreme cost pressures, manufacture with materials made with dangerous chemicals ( Link )
TEMU looks the other way when its vendors rip off legitimate small business’ designs and marketing photographs
As if on cue, this article appears. Seems there are Chinese manufacturers who look for Amazon bestsellers they can knock off. Not only do they copy the products, they take the pictures and text right off the Amazon page, and it goes straight to TEMU displays. We expect TEMU to once more blame the manufacturers ( Link ).
Also, ( Link ), ( Link ) (Just two of many, all over the internet). Copyright holders can complain, but the vendor can object to the complaint. The process is stacked in favor of the vendor, and the overall track record for IP protection for U.S. entities in China is abysmal.
TEMU is now embroiled with competitor Shein over mutual accusations of stealing copyrighted designs, essentially the same bad behavior documented above on a bigger scale ( Link )
TEMU responds by blaming its customers for buying products whose designs have been stolen.
When called out about these practices, it resorts to the “We’re just the middleman” defense … again. ( Link )
If your credit card security is breached after a TEMU transaction, TEMU won’t be accountable ( Link )
Keyword search auction for stolen trade names … a gargantuan counterfeiters’ marketplace.
If you manufacture Rolex look-alikes, Coach look-alikes or sneakers, do you think you have a chance of your product appearing on TEMU with 61 pages of competitors ahead of you unless you buy search keywords?
This IP/brand name issue just heated up. TEMU just got nailed for promoting knockoff Air Jordan’s, even after Shein removed them from its website. If this article is correct, Chinese manufacturers are paying for TEMU’s keyword search on over 1,000 “Air Jordan” SKU’s, do you think any of that revenue is shared with Michael Jordan? ( Link )
Keyword Searches: “Air Jordan shoes”, “Air Jordan for kids”, “Air Jordan for women”
Potential government intervention — closing postage, tariffs and customs loopholes.
For the purposes of shipping into the U.S., China, with the world’s second largest economy and the 2nd largest military, is categorized as a “developing nation” at an obscure international agency (UPU) that sets international postage rates. As a result, China gets to ship small parcels to the US that the USPS must deliver to residential addresses for over $1.00 less than domestically shipped parcels. According to this article, this shipping rate means that U.S. companies supplying undifferentiated products cannot compete with China for parcels up to about 4 lbs. ( Link )
U.S. China Economic and Security Review Commission already realizes its own USPS and Customs laws are giving a huge competitive advantage to Chinese firms over U.S. companies. It proposes reducing the $800 per parcel exemption loophole from tariffs, customs and import red tape to $10 (the law is already written). And TEMU is toast the day this becomes law. ( Link ) (Link )
The day either of these Government intervention scenarios is enacted, PDD stock will be crushed. It is our opinion that it will never again see these highs. These are enormous risks for shareholders, the timing of which can’t be predicted on a chart.
But intervention will happen. The abuse in this case is too obvious, and on too large a scale! If TEMU had 1,000 users, it wouldn’t matter. But with 100 million app downloads, the stakes are just too high.
TikTok is entering TEMU’s space as a Direct Competitor
Updated July 26, 2023 3:10 am ET ( Paywall, sorry. Look this up yourself.) ( Link )
SHEIN is entering TEMU’s space as a Direct Competitor
This headline says a lot. ( Link ) SHEIN is privately held, actually has established a disruptive business in “Fast Fashion” (a history of more than 15 years). While it has its own controversies, it isn’t trying to sell anyone any stock… it sells clothing. And it makes a profit — that’s probably why it’s privately held. If it didn’t make a profit, it wouldn’t have survived its 15-year old origin story and development history. And it has a sizable presence in Amazon stores already, including Juvo Plus, one of the largest on Amazon.
TEMU Has No Competitive Moat Except its Willingness to Spend Money for App Installs
Compare this simple truthful statement with the nonsensical PR claim that TEMU has been getting published in crappy second-tier newspapers who rely on free “adverticles” because they cannot afford real journalists anymore, that it has invented some incredible, exciting, irreplaceable business model called “Next-Gen Manufacturing”. We won’t glorify any of these journalistically vapid faux news pieces with a link here, but trust you will find plenty.
There are at least 10 companies operating in this space already. They all rely on the same customs/inspections loophole for parcels under $800, and the small-parcel loophole that gets their packages to you cheaper than if a small business in the U.S. tried to ship a parcel to you. They all sell you cheap Chinese “stuff”. The only difference is that these firms are trying to survive on the discipline of selling stuff they think people want, buying inventory cheaply, and trying to survive on the spread, just like every other business. They’re not trying to steal your data, or sell you their stock, while they keep their financials in a black box.
The Significance of TEMU for PDD
PDD launched TEMU to expand to OECD markets very aggressively. TEMU went live recently in the U.S. (September 2022), Canada (February 2023), Australia and New Zealand (March 2023), France, Italy, Germany, the Netherlands, Spain and the UK (all in April 2023). TEMU’s 2023 marketing budget is, reportedly, up to over $7 billion and includes a Super Bowl ad, a large online ad campaign and sponsorship programs; for comparison, Walmart’s 2022 marketing budget was $3.9 billion.
We believe the company does this to collect Westerners’ data for resale. Our short case does not rely on foregone revenue in these markets, but rather the strategic potential of not being able to collect Westerners’ personal, confidential and invasive user data. This case is more about fraud (specifically, monetizing the fruits of spyware) than about missing a minor business lane.
PDD Holdings (“PDD”) does not break out international sales in its quarterly filings. In the fourth quarter 2022 earnings call, management said that international sales were “small“, and that the international business was still in its early stages.
Devil’s advocate: What are PDD’s ROI expectations for TEMU? J. P. Morgan values PDD with 28x 2023E P/E “at the high end of major China Internet companies’ historical range” based on growth outlook and “by the optionality of TEMU”. Goldman Sachs puts more emphasis on TEMU, applauds the successful rollout (quite extensively; likely sponsored by PDD) and forecasts material earnings contributions from 2027 onward.
Thus, PDD would lose strong double digit % long-term earnings potential with a lasting TEMU ban alone. That’s why TEMU justifies a mention in GS’s bull case:
Other online chatter has filled the information space on the topic. A March 2023 Seeking Alpha article concludes that “TEMU is the No.1 driver for PDD stock in 2023. Investors can closely follow TEMU’s developments especially in the following areas:
1) Growth in GMV and Monthly Active Users
2) Shopper sentiments around product quality and shipping services
3) Strategic partnerships overseas that help with TEMU’s supply chain or traffic acquisition”.
Note that this analysis, like many, overlooks consideration of;
- Consequences of material political, legal and regulatory risks
- the unsustainability of temporarily subsidized prices for parcel shipping TEMU now pays (now $9 or $10 per parcel), through J&T Express, which is expected to raise prices to TEMU materially, as soon as J&T’s IPO, now filed, is complete or fails). ( Link )
Part 2: PDD is a Dying Business with Untrustworthy Financials that is Run for the Benefit of Insiders
PDD is an Accounting “Black Box”
The company’s disclosure pattern is to reveal less and less of its operating metrics with the passage of time. Even the sell-side analyst capitulates, calling PDD a “black box”.
PDD’s main metric is declining quickly and sequentially. Its lack of disclosure is so bad that even the sell-side analyst is pointing that out ( Link ) (This linked page is in Chinese. Use Translate to see English.)
According to the report, one of PDD’s most important metrics, DAU (Daily Active Users), has decreased 9% sequentially in the month of March from February, despite massive ad spend, and for the first time since February 2022, Shoutao, an e-commerce platform offered by Taobao (owned by BABA) has surpassed PDD in terms of DAU. The decline has accelerated to a year-over-year decline of over 20% in June 2023. PDD stopped disclosing their DAU metric.
在那之前，拼多多已经明确了 DAU 是比 GMV 对自己更重要的指标
Before that, PDD explicitly indicated that DAU [daily average users] is a more important metric than GMV [Gross Merchandise Volume].
We believe the earnings results from PDD in the past few years are abnormal. Both JD and Alibaba show weakness in terms of growth and profitability, yet PDD is showing strength in growth and profitability. Reasons given by PDD’s management are not convincing. Even the sell-side analyst is saying the company management does not disclose enough…
“We continue to view the lack of disclosure as a major concern among investors and would encourage mgmt to disclose more. Retain EW.”
In the meantime, PDD has been eliminating disclosures on operating metrics, which makes it harder for investors and analysts to analyze its earnings results. For example, between Q1 2021 and Q3 2021, PDD stopped disclosing it’s the twelve-month GMV and annual spending per active buyer in the twelve-month period numbers, then it disclosed these two numbers again in Q4 2021, and has since stopped disclosing these two numbers starting from Q1 2022. In addition, starting from Q2 2022, PDD also stopped disclosing average monthly active users and the twelve-month active buyers’ numbers. In other words, PDD is disclosing less and less metrics in its earnings release, and it has become more and more vague to the investors in terms of disclosed metrics.
Note: the yellow cells indicate numbers for which the company ceased disclosure. Whose interests does that serve?
No CFO at PDD since 2018 — VP of Finance has been a revolving door
In addition, it is hard to imagine, as a $135 Billion market cap company as of publication date, PDD never had a Chief Financial Officer (CFO) since it went public in 2018! This is highly unusual in our opinion. It appears the company would say its VP of Finance is in charge of the company’s accounting and financials. However, a detailed look into its VP of Finance position would give us some pause.
Source: company filings
There have been at least 3 people employed as VP of Finance since 2018, plus the company didn’t even have a VP of Finance (not to mention CFO) for over a year! How can any prudent investor trust the financials of a company which had this lack of financial oversight since the day it went public in 2018? This is governance worthy of a small-cap OTC company.
Auditor is worthless. Former accountants had oversight responsibility to detect fraud, but did nothing.
Former accountants audited numerous Chinese companies whose shares proved worthless.
Ernst & Young Hua Ming LLP has been PDD’s auditor since it went public in 2018. According to PCAOB, E&Y Hua Ming’s Engagement Partner Wei Liu was in charge of PDD’s audit for the fiscal year 2021 and 2022, but before that, another engagement partner Congyue Song was in charge of the audit from 2018 to 2020. Through searching Wei Liu’s audit history, it can be found that Wei Liu only audited another China-based company LightinTheBox (NYSE: LITB) from 2019 and 2020. Congyue Song was in charge of 21Vianet Group, Inc. (NASDAQ: VNET) from 2016 to 2018, Molecular Data Inc. (OTC: MKDTY) from 2018 to 2019, and BEST Inc. (NYSE: BEST) from 2019 to 2022.
Needless to say, these auditors didn’t help shareholders in any of these companies.
Lite In The Box 21Vianet
Molecular Data: Best, Inc.
PDD employee count is untrustworthy: undercounting employees overstates profitability in reported financials.
PDD has a history of amending its employee count on its own official website, which should make investors question the reported employee count on its annual reports, thus questioning its reported expenses related to its employees and the company’s overall profitability. Yet another example of “hide-the-ball” accounting.
The table below summarizes PDD’s employee counts on an annual basis.
It appears the company vastly under-reported its employee count before it went public. For example, the company stated in its prospectus and annual report that its overall employee count is 1,159 as of December 31, 2017. However, the Wayback Machine shows that on PDD’s website screenshots as of December 17, 2017 and January 17, 2018, it stated that there are more than 5,000 employees belonging to PDD group, which is over 4 times of what PDD disclosed in its prospectus and annual report.
What’s worth noting is that PDD amends this employee count to 2,000 in the later version of its website according to the Wayback machine in July 2018. However, we are still inclined to believe the 5,000 employee count is more likely the case, rather than the 2,000 number that PDD later amended.
Involvement with “order brushing” plus 7B RMB gambling traffic routed through its platform, renders order flow data untrustworthy
There are three incidents that indicate the likelihood of massive order brushing on PDD’s platforms.
1) Based on our conversation with the order brushing “expert”, when people opened new shops on Pinduoduo’s platform, the owner of the shop could grant access to the order brushing expert. Depending on the terms set between two parties, for example, the new shop owner could ask for how many transactions happened during a certain time period, how many positive reviews that shop would receive, etc. The owner will need to pay fees to the order brushing expert, depending on the terms.
To be clear, it is not likely that PDD performs the order brushing. However, PDD, as well as other e-commerce platforms, surely knows there is order brushing going on. It casts a blind eye and allows it.
2) There were also comments on the investment forum that one purported seller on the Pinduoduo platform observed that in the early morning and in the evening, a large number of orders would emerge from the back end of PDD, which would then be canceled. Even though those orders were canceled, Pinduoduo would still collect 0.6% of those payment transactions. It is unclear about the scale of these kinds of activities, but it gives the indication that large and repeating numbers of “abnormal transactions” are part of the PDD culture.
3) According to this article (LINK), CCTV in China reported in August 2020 that there is an e-commerce platform that was used by the cross-border money laundry organization to launder 7 Billion RMB. The article stated that readers might have heard of “order brushing” before, but the linkage of fake orders to real money laundering is apparently the real reason why those instances of order brushing appeared.
“In one large case in Wuxi, a city in eastern China, investigators uncovered 600 million fake packages had been entered into the shipper’s tracking systems by employees to complete the transactions, FT reported. — Pymnts.com ( Link )
According to the article, two criminals controlled thousands of “empty package” websites and there were about 600 million of these logistics orders [for empty package]. It was later found that these empty packages were actually used as the transaction payments of cross-border gambling. In early June , police from Wuxi city arrested 40 people involved in 15 cities. The police from Wuxi compared those empty package order numbers and many of these orders appeared in two cross-border gambling money laundering cases with the total amount of funds of 7 Billion RMB. ( Link )
Important Operating Metrics Indicate PDD is Facing Fierce Competition Against Alibaba and JD in China, and PDD is Seemingly Losing the User Traction Compared to Peers.
As numerous outlets reported before ( Link ), the IPO of Ant Group, whose parent company is Alibaba (NYSE:BABA), was cancelled by the regulators in China in the month of November 2020. This was widely viewed as the beginning of the crackdown of Alibaba by the Chinese government. We believe PDD is one of the main beneficiaries of the regulatory crackdown of Alibaba in the past few years. There are two reasons for us to believe that is the case. First of all, according to this article ( Link ), the data cited from QuestMobile in the article showed that on February 12nd and 13rd 2021, the DAU (daily active user) of PDD’s mobile application surpassed that of Alibaba’s mobile application Taobao for the first time: PDD’s DAU of 259 million vs. Taobao’s DAU of 237 million. This is only over 2 months after Alibaba’s Ant Group IPO was cancelled. In addition, we believe the profitability of PDD also indicates that it benefitted from the crackdown on Alibaba. The table below shows that before Q2 2021, PDD reported negative non-GAAP operating margins since Q1 2019. We can see that 2 quarters after Alibaba’s crackdown, PDD has been reporting consistent positive operating margins that are at least over 13%. Of course, we are not saying that this might be the only reason PDD reported these operating margins, but when the No.1 player in the sector is constrained by regulation, it is common sense that the less constrained other players are going to benefit from less competition.
However, we believe the happy times for PDD within the domestic China market are ending. In July 2023, it was reported ( Link ) that the Chinese government fined Ant Group 7.1 Billion RMB and requested Ant Group to close down the crowdfunding platform Xianghubao. It seems the multi-year regulatory crackdown on Alibaba has come to an end. It is understood that the announcement of the fine is more like a signal, but we believe easing of regulation began earlier than that. This policy change is also partially due to the disappointed economic rebound that was originally highly anticipated after China ended its “zero-COVID” policy. The Chinese government is trying to encourage the private sector to help revive economic activities by easing regulations on the private sector. In 2023, it appears “Alibaba has been putting up enormous resources into Taobao to regain its attraction on both user side and merchant side. And according to the third-party data, its strategy is working.
Moonfox ( Link ) claims on its own website to be “China’s leading expert in all-scenario data insights and analytics services”. It published a research report for the 2nd quarter of 2023 regarding China’s mobile internet industry ( Link ). In this report, it shows in Q2 2023, the quarterly averaged DAU (daily active user) of Taobao is 391 million, and the same metric of PDD is 238 million. Be reminded that according to this article ( Link ) mentioned previously, in month of March 2023, every day there were about 380 million users on Taobao, which was only 26 million more than PDD’s DAU. The article did not specify if this third-party data was from Moonfox or some other analytics company. However, if we assume the data is somewhat comparable, PDD’s quarterly averaged DAU has taken a big drop in Q2 2023. Because in the article, PDD’s estimated DAU in the month of March should be about 354 million (=380m – 26m), but for Q2 2023, the quarterly averaged DAU is only 238 million. There seems to be over 100 million DAU drop from Q1 2023 to Q2 2023. As we just mentioned, different analytic companies might have slightly different numbers when calculating DAU, but we do not believe a difference of over 100 million can be attributed to this. The trend is clear: PDD is sliding while Taobao is gaining ground.
Source : ( Link )
The decline in PDD’s DAU has also been corroborated by some other sources. For example, an account on Snowball (a popular and widely used investor forum) posted a screenshot of a part of Goldman Sachs research report from July 19th 2023, which shows that PDD’s DAU in month of June 2023 “continues to decline at -21% YoY post its app version update”.
Source: ( Link )
In addition, this article ( Link ) also shows that both Taobao and JD have positive year-over-year growth in their DAUs since February 2023. Yet PDD’s DAU growth rate kept decreasing since February 2023 and its year-over-year growth rate reached over 20% decrease in month of June.
Source : ( Link )
Besides Alibaba, JD is also investing big money to compete with PDD. For example, it is reported in February 2023 (LINK) that JD is set to spend 10 Billion RMB in subsidies to execute its “return to low prices” strategy. It is unclear how much money JD actually spent during this program; however, based on the DAU data shown in the above diagram, JD’s DAU since February has shown a positive year-over-year growth rate, as compared to PDD’s negative year-over-year growth rate since February.
On the merchandise side, according to the third-party research from Moonfox, as Taobao goes deeper into a cheap price strategy, it attracts more small merchandise onto its platform, which results in material growth in active merchandise numbers on Taobao and decrease in the active merchandise number for PDD. To be exact, in June 2023, Taobao’s merchandise portal application Qianniu’s DAU reached 2.178 million, with year-over-year growth of 4.5%. However, PDD’s merchandise version’s DAU was 1.601 million, with a year-over-year decrease of 7.8%.
Source: ( Link )
It is clear to us that PDD is seemingly losing its competition against its main peers, and we are convinced that PDD’s domestic business and its profitability will likely get squeezed as Alibaba and JD re-focus on their low price segment. In the Chinese consumer market sector, we do not believe consumers tend to stick with one platform, rather they swiftly pivot to whichever platform provides the best deal. Alibaba has gigantic resources to compete with PDD in PDD’s backyard, and now with the crackdown officially over, it has much more flexibility to do whatever s needed to compete on this front. JD has one of the best logistics services in China as an e-commerce platform, and it could use both cheap price and fast delivery services to compete with PDD. In other words, in the near future, competition over cheap price strategies will be beyond fierce. We do not believe PDD is going to win this battle domestically. Instead, we believe PDD is struggling to maintain its current standing on the play field domestically and this is probably one of the main reasons why it launched TEMU : to have a global expansion/growth story to tell investors.
The payments company built by PDD is carved out to a separate, privately held operation — by management, for themselves.
This game of “hide-the-ball” allows a large amount of the cash flow generated by TEMU to be siphoned off to TEMU executives with little to no oversight or financial accountability. This is a rerun of the AliPay playbook!
We believe Shanghai Fufeitong Information Service Co., Ltd. that PDD formed with its executives is highly suspicious. The company stated in its risk factor that it:
“does not control Shanghai Fufeitong and the majority of its equity interests is indirectly controlled by our executive officers. If any conflict arises between us and Shanghai Fufeitong and cannot be resolved in our favor, our business, financial condition, results of operations and prospects may be materially and adversely affected”.
Shanghai Fufeitong was formed to “supplement” (e.g. “displace”) the payment services that Tencent has been providing to PDD. We believe the eventual goal for PDD is to use Shanghai Fufeitong to control and cash in on as much as possible of the payment transactions that Tencent is currently providing.
We do not control Shanghai Fufeitong and the majority of its equity interest is indirectly controlled by our executive officers. If any conflict arises between us and Shanghai Fufeitong and cannot be resolved in our favor, our business, financial condition, results of operations and prospects may be materially and adversely affected.
In April 2020, Shanghai Xunmeng, a subsidiary of the VIE, entered into a business cooperation agreement with Shanghai Fufeitong Information Service Co., Ltd., or Shanghai Fufeitong, pursuant to which both parties agreed to conduct comprehensive business cooperation in payment services, technical resources and other related professional areas. As Shanghai Fufeitong is a company which Messrs. Lei Chen and Zhenwei Zheng, our executive officers, indirectly hold 50.01% of the equity interests in, the transaction constitutes our related party transaction. See “Item 7. Major Shareholders and Related Party Transactions—B. Related Party Transactions—Loan to Ningbo Hexin and Business Cooperation Agreement with Shanghai Fufeitong for more details of the transactions.
As Shanghai Fufeitong, which we do not have control over, also provides payment services to other parties from time to time, we cannot assure you that Shanghai Fufeitong’s transactions with other parties or its pursuit of opportunities and development would not conflict with our interests. There can be no assurance that Messrs. Lei Chen and Zhenwei Zheng, in light of their control over Shanghai Fufeitong, would act in favor of our interests if any conflict arises between us and Shanghai Fufeitong. If the conflict cannot be resolved in our favor, our business, financial condition, results of operations and prospects may be materially and adversely affected.
Moreover, due to our cooperation with Shanghai Fufeitong, any event that negatively affects Shanghai Fufeitong may also negatively affect the perception of our customers, merchants, regulators and other third parties on us and may further adversely and materially affect our reputation, business, results of operations and prospects.
Source: 2022 20F, PDD Holdings, Inc.
There are two issues surrounding Shanghai Fufeitong. One is that U.S. shareholders of PDD could have the “Alipay incident” all over again. The “Alipay incident” involves Alibaba forming a payment company called Alipay to facilitate the e-commerce platform’s transactions. However, Alipay was established with its own ownership structure so that Alibaba does not own Alipay; rather Alibaba’s executives owned Alipay since the beginning. Eventually when Alibaba went public, Alipay was not included as owned by the publicly listed company. ( Link ) Eventually shareholders found out that Alipay was worth hundreds of billions of USD, but they were not able to enjoy the fruits of that part of business as Alibaba’s shareholders. If you follow investing in Chinese companies, this sounds familiar! If in the future Shanghai Fufeitong develops its business significantly, PDD’s shareholders will not be able to enjoy that part of business development as PDD’s shareholders. The biggest beneficiaries of Shanghai Fufeitong will be PDD’s executives! This should be a big red flag for U.S. shareholders.
The second issue surrounding Shanghai Fufeitong is that the numbers simply don’t make sense. For example, in the related party transaction section, PDD listed the services received from both Tencent Group and Shanghai Fufeitong. These services should be the payment services where, as PDD disclosed, Tencent would collect 0.6% commission fee from the payment processing on PDD’s platform. Shanghai Fufeitong was established in 2020, so it began collecting revenue from the services provided to PDD. We can see that the total services received from both Tencent Group and Shanghai Fufeitong were 10.6 billion RMB (10.5 billion from Tencent Group and 45 million from Fufeitong Group) in 2020, 8.6 billion RMB (8.4 billion from Tencent Group and 211 million from Fufeitong Group) in 2021, and 7.7 billion RMB (7.1 billion from Tencent Group and 654 million from Fufeitong Group) in 2022, respectively. This means that PDD received transaction processing services from the sum of Tencent and Shanghai Fufeitong decreased 10.6% from 2021 to 2022.
Source: Company filings, Grizzly Analysis
This does not make sense to us. In the revenue segments provided by PDD, its transaction services revenue actually increased from 14.1 billion RMB in 2021 (accounting for 15.1% of total revenues) to 27.6 billion RMB in 2022 (accounting for 21.2% of total revenues), an astonishing increase of almost 95.4% year-over-year. Besides these two payment options (WeChat Pay is supported by Tencent and Duo Duo Pay is supported by Fufeitong Group), there are some other payment channels on PDD’s app as shown in the screenshot below, including Alipay, Apple Pay, Hua Bei (payment channel supported by Ant Financial), Ask WeChat Friend Pay.
Source: PDD Mobile App
How can PDD increase its transaction services revenue at a 95% annual rate, yet its transaction processing services received from its two main payment processing companies declined 10.6%? This just doesn’t make sense to us.
In addition, it is reported ( Link ) in 2020 that 26.8% of Shang Fufeitong’s equity interest changed hands, however, it was undisclosed who the buyer(s) are. The transaction amount of this deal was 236.55 million RMB and it was completed on November 16, 2020. We find this transaction suspicious because after over 2 years since this transaction, the shareholder information of Shanghai Fufeitong has still not changed.
China Unionpay Merchant Services Co., Ltd transfers its 2.22% of Shanghai Fufeitong, Shanghai Water Affairs Construction Engineering Co., Ltd. transfers its 0.737% of Shanghai Fufeitong, and Shanghai Information Investment, Inc. transfers 23.86% of Shanghai Fufeitong.
After the record change, these three original shareholders of Shanghai Fufeitong, China Unionpay Merchant Services Co., Ltd, Shanghai Water Affairs Construction Engineering Co., Ltd, and Shanghai Information Investment, Inc. will exit. Based on the final transaction price, the 2.22% equity interest held by China Unionpay Merchant Services Co., Ltd is worth 19.582 million RMB, with premium as high as 625%. Before China Unionpay Merchant Services Co., Ltd goes public, it successfully cashed out its owned Shanghai Fufeitong shares.
The screenshots below are from Qichacha, and they show that the shareholders’ information seemingly still hasn’t changed after over 2 years since this share transfer transaction closed.
For example, from the information shown above, Shanghai Information Investment, Inc. is still shown to be a 41.866% owner of Shanghai Fufeitong, China Unionpay Merchant Services Co., Ltd is still shown to be a 2.2195% owner of Shanghai Fufeitong, and Shanghai Water Affairs Construction Engineering Co., Ltd is still shown to be a 0.7371% owner of Shanghai Fufeitong. Our question is, if the share transfer transaction was completed in 2020, why has the new shareholder(s)’ information still not been updated? Has this transaction really happened or not? And if the transaction really happened, who are the real buyer(s) in this transaction?
Large numbers of shares seemingly unaccounted for –Billions USD worth of stocks went “missing” – Some were supposedly donated to charity and some given to Venture Capital investors
This point is sourced from a media report in China that asked where the money went after PDD’s previous Chairman Zheng Huang significantly decreased his shareholding in PDD.
The 2019 20F below disclosed he controlled 2.07 billion class B shares of PDD, which accounts for 43.3% of the total shares outstanding.
The 2020 20F below showed his holding was only 1.409 billion shares of class A (all class B shares were converted into class A shares) which accounts for 28.1% of the total shares outstanding.
It was reported ( Link ) that the main reason for the shareholding decrease was that Chairman Huang donated many shares to different charities. However, the article below was questioning these donations because they were unable to find any information about those charity funds, either in Chinese or in English.
In addition, the article also reported that there were 180.4M shares of PDD, which accounts for 3.77% of the total shares outstanding, which was previously held by Chairman Huang, but it was actually distributed to a PDD’s venture capital investor. According to the media’s speculation, these shares belong to a famous investor Yongping Duan, who once paid millions to have lunch with Warren Buffett.
Pure Treasure Limited 拥有的另外180,382,480股（占公司总股份3.77%）据说属于拼多多的一位早期天使投资人，此次也划转至该天使投资人名下，不再由黄峥控制。媒体推测，该天使投资人很可能就是黄峥的导师、身在美国的段永平。
Pure Treasure Limited owns the other 180,382,480 shares (accounting for 3.77% of the company’s total outstanding shares) and it is said that it belongs to one of PDD’s venture capital investors, and this time [these shares] are also transferred to this venture capital investor, and are not controlled by Zheng Huang anymore. It is speculated by the media that this venture capital investor is likely to be the mentor of Zheng Huang, Yongping Duan who is in the United States.
The “Disappeared” Charity Fund Stocks
Interestingly, Zheng Huang donated his personal 371 million shares to the PDD team and donated his personal 113 million shares to Fanxing Charity Foundation. The previous [371 million shares donation] was disclosed in the SEC filing, however, the latter [of 113 million shares donation] was not mentioned in the publicly disclosed filings. It was only mentioned in PDD’s public campaign and Zheng Huang’s open letter. No information on Fanxing Foundation can be found in English documents.
Because the United States public company only discloses the information regarding management owning 1% or more [of the company], and the other shareholders only disclose the shareholding information from shareholders with 5% or more [of the company], therefore the 113 million shares [of PDD] that were donated to the charity foundation by Zheng Huang just strangely disappeared.
The takeaway from all these sources is that the correct amount of Chairman Huang’s shareholding in PDD is undisclosed. That holding is worth appx $12 Billion USD in value, at the current price of PDD. Investors don’t know if Mr. Huang really owns those PDD shares, or perhaps he is just a proxy for another party or entity, be that PDD or an undisclosed person or entity. There’s no way to know whether whoever is controlling them is waiting for the right moment to dump these shares on the market. Or pledge them for collateral loans…
Conclusion: Red Flag Risks to PDD stock
Through multiple iterations spanning several years, and even in the wake of being kicked out of the Google Play Store in March, TEMU is running its software development effort in pursuit of maximum intrusiveness, abusiveness and stealthiness. The corporate ethos reflected towards the U.S. and Europe is “Whatever we can get away with…”
Beyond its malware / spyware, we have rarely seen a company display such a consistent attitude of impunity, throughout all levels of policy, execution and governance, customer and vendor relations.
Given all these actions in bad faith, it’s hard to believe the market has conferred upon PDD appx $135 billion in market cap. How it has earned access to the U.S. capital markets to fund its activities is darkly ironic. This is a house of cards. The risks of catastrophic regulatory intervention appear at all sides. Yet the company acts as if it is completely unaccountable.