Important elements of the analysis
- Entropy coefficient of the APK
- Warnings concerning possible Phishing detections
- Profiling of the connected user
- Gathering and use of the phone number associated with the account
- Access to microphone and camera for the purpose of making audio recordings, screenshots and recording videos
- Access to phone contacts for sharing the application
- Browsing history in the application and searches made
- Suspicious HTTP requests to two identified IP addresses containing different attributes and parameters obtained
- Configuration for HTTP request parameters
- Obtaining device ID and phone information
Temu is a new e-commerce application, available for Windows, Android and iOS, which allows the purchase of various products at very low prices. Several concerns and fears about data security and user privacy emerged after the publication of the analysis prepared by GlizzlyReports at the following link: We believe PDD is a Dying Fraudulent Company and its Shopping App TEMU is Cleverly Hidden Spyware that Poses an Urgent Security Threat to U.S. National Interests – Grizzly Research LLC (grizzlyreports.com)
In the present analysis, the APK archive (version 2.9.1) with hash 8601e8ec7dc523f02df8bd52a4ac22e3 was taken in consideration.
The archive has a high entropy coefficient indicating a packing and obfuscation situation.
By examining the hexadecimal code of the application, one can see references to the baogong package, which contains various payment management methods, shopping carts enumerations, but also hardware information gathering methods and permissions that are rather invasive but necessary for certain Temu features.
Here’s the distribution of bytes of the APK, in which a byte shuffling phase is evident in the high region:
Following are the details of the memory mapping of the APK archive, where the header of the PK file, identifying archive-type files, is highlighted.
In the hexadecimal dumping of the section, we can see the reference to German language strings and the app_baogong package, which allows the settings of the UI model XML to be managed in this case.
We have evidence of constructs referring to HTML href links and buttons for the WebView structure:
Next are the extracted strings relating to a recent warning for the application itself by Google Safe Browsing and associated with deceptive behaviour, thus referring to potential fake pages requesting electronic card payments:
Temu uses different Calendar type modules and attributes for DateTime and dayNames patterns, so depending on the nationality of the device on which the application is installed, different approaches are used to manage dates and days of the week.
Below are some references to cyrillic strings for multilingual selection:
The ID used by Temu in API request contexts is 262921625321:
Temu has several physiological features characteristic of e-commerce applications, including the addition of the DHL postal number for the courier, addition of the credit card (including the addition of the CVV number to make payment by 3DS method), addition of the telephone number.
The phone number entered will therefore be associated with the connected user. There are then references to the permissions required by Temu, such as access to the camera, access to the phone storage, access to the microphone, access to the location:
There is the possibility to edit and delete any orders placed, cancel payments and payment methods, such as PayPal.
There is a browsing history that keeps track of the e-commerce-side navigation carried out through the use of the application. There is a profiling module that keeps track of the activities of connected users.
Temu can be linked to the payment methods Afterpay, Clearpay, Klarna, PayPal and iDEAL.
Here strings reference the entry of the account verification code, the e-mail address or the associated telephone number.
Further examination of the extractable strings reveals evidence of Base64-encoded patterns referring to a certificate file:
The application’s permission to access the location could be due to the fact that it allows specific addresses to be opened with Maps:
There is the possibility of saving the credit card entered: this practice may be undesirable for some users who often prefer to enter their credit card information at the time of payment when making and authorizing via the 3DS system.
There is profiling with regard to addresses and suggested searches for previous activities:
The microphone is accessed via the voice search functionality:
The application requires authorization to change the credit card used for payments if the default payment method is not available.
Source code analysis
Next are the definitions of the hexadecimal attributes referring to the permissions obtained by Temu. We can mention permissions related to the camera, access to contacts, access to the microphone, access to storage, access to the current location, access to phone settings and access to audio and video recording settings.
In the a00 package, we can see the definition of an application installation token and identification of the network operator.
Here is a series of try-catch constructs, each individualizing different contextual events in the payment phase:
The toString method is of type String and creates a StringBuffer object, which contains various attribute details of headers, connections and bodies:
Here are some attributes refer to boolean conditions, so checking for callback requests:
Here the construction phase of the parameter structure of the billingAddressModel object for the payment and credit card checkout phase.
There are listeners for the closing events of View instances:
Here the method for converting CMDataEntity objects into a string, containing several parameters, including text and save timestamp:
Below is a reference to the contents of the clipboard called when executing method C262781.m18517e:
The class C0106a contains numerous references to registered credit cards and an enumeration of them is performed; in fact, in the event that the card_content_list object is other than null, the method card_content_list.m47839d is called and the result of the function call is saved inside the variable C14414h:
When external payment applications are called, objects of type PayAppDelegate are used, saving the target URLs in the object c9886a.f30781b in the event that the value of index i is 2.
Temu uses the 3DS secure payment method as can be seen from the m91108d payment configuration.
Temu saves the client_key of the device on which it is installed and the Android SDK of the phone:
The Iris payment method is also supported:
Below are the details of the HTTP packet sent containing the information and details of the device in question, such as IP, DNS, localhost:
The method com.baogong.bottom_rec.fragment.utils.c.a takes as input argument a hashMap object and via UriBuilder objects makes API calls for Poppy credit cards.
Next we can see the detonation of the application in question where we can see HTTP requests including individualizing attributes such as ID, app ID, domain package name.
Here several Temu domains contacted in the execution phase:
Among the services performed we can note connectivity and storage. It makes use of the androidxx.JizhanHelper and androidxx.MdfyHelper modules. Among the called methods is evidence of obtaining the type of connections in force on the device by means of the boolean function android.net.NetworkCapabilities.hasTransport:
Temu obtains the details of the network security policies, the device ID, it sets the attributes of the sockets objects used at runtime and there are event handlers from the whaleco library.
The MAC address of the network interface used is obtained via the java.net.NetworkInterface.getHardwareAddress method:
The package t21 contains the method of type String f, which returns various DNS configuration attributes and handles HTTP requests to IP addresses 20.15.0[.]56 and 20.15.0[.]9:
The h method returns an object of type ArrayList of strings containing the IP address 20.15.0[.]9:
The IP address 20.15.0[.]8 is also included in the ips parameters of the ArrayList:
The public static method d is of type StNovaSetupConfig. It allows the configuration attributes regarding the IP address 20.15.0[.]56 to be set within an array of type String while the URI is “/d3” and the headers are placed in an object of type HashMap.
With a DTI analysis of the domains us[.]thtk[.]temu[.]com and us[.]temu[.]com, which are used by HTTP requests via the IP address 20.15.0[.]56, the following details concerning the open ports 80 and 443 can be revealed. The details include the api_uid attributes, which are required for HTTP and HTTPS requests:
The domain us[.]temu[.]com has an nginx web server infrastructure:
Here are several static attributes, arrays of integers relating to layout objects and frame position management:
Certain individualizing attributes of the telephone on which Temu is installed, such as tel_location_id and email_id, are obtained in a serialized manner:
In the class z1 we can see the method of type Object a (which will then implement the same in the class c1), which obtains the serial number associated with the user with the getter this.f60958a.getSerialNumberForUser(this.f60959b).
In the hashtable2 object, various individualizing attributes are added, such as delivery address, serial number, telephone number.
In the package cu0 and the class c we can see the use of the API of Line[.]me, an instant messaging application:
Temu has permission to access the phone’s contacts for the purpose of sharing the application itself:
In the event that the Boolean attribute of the phone’s contact read permission is equivalent to TRUE, a String array containing the enumerated contacts on the phone is filled in:
Temu possesses numerous characteristics that, although physiological and consistent with the category of the application itself (e-shopping), are to be considered potentially harmful to the privacy and data of users. This is the main reason why Temu could be regarded as a potentially unwanted application and, consequently, classified as suspicious by the various application stores.
What is striking about Temu is the invasiveness it has on the devices on which it is installed and its peculiarities of obtaining identifying attributes, such as the device ID when sending individualizing HTTP requests. According to Temu’s terms and conditions, moreover, if the default payment method saved within one’s account is not available, the application will proceed to select a second credit card (if previously set within the payment methods).
Temu could therefore ultimately be classified as “GreyWare”’ insofar as it is not really identifiable as malware, but nevertheless capable of negatively influencing the user experience by having questionable and non-transparent behaviour.