In just 17 days after launch, Temu surpassed Instagram, WhatsApp, Snapchat and Shein on the Apple App Store in the US, according to Apptopia data shared with CNBC.

Stephanie Reynolds | Afp | Getty Images

US has charged discount shopping site Meet up of possible data risks after its Chinese sister app was pulled from Google’s app store over “malware” – but analysts say they’re not too worried.

Compared to Pinduoduo, which was suspended by Google in March after versions offered outside Google’s Play store were found to contain malware, Temu is “not as aggressive,” one analyst said.

Malware in Pinduoduo was found to exploit specific vulnerabilities of Android phones, allows the app to bypass user security permissions, access private messages, change settings, view data from other apps and prevent uninstallation.

Google called it an “identified malicious app” and urged users to uninstall the Pinduoduo app, but the Chinese online retailer denied these claims.

According to analysis by Kevin Reed, chief information security officer at cybersecurity firm Acronis, Pinduoduo requests as many as 83 permissions – including access to biometrics, Bluetooth and Wi-Fi network information.

“Some of these permissions Pinduoduo is asking seem to be unexpected for an e-commerce app,” said Reed, who shared his analysis of both apps with CNBC.

“But Temu is not as aggressive as Pinduoduo who demands all kinds of privileges,” Reed said.

Pinduoduo is a China-based e-commerce app that sells everything from groceries to clothes. It is the flagship product of the Nasdaq-listed Chinese company PDD Holdings who also owns Temu. Temu’s headquarters are in Boston.

Pinduoduo is much more aggressive in collecting users’ information and of course transferring it back to the company.

Kevin Reed

Chief Information Security Officer, Acronis

“There should be no need for biometric data to be stored on an e-commerce website or app. I personally would not want my biometric data to be stored anywhere other than my device,” said Sean Duca, vice president and regional head of security for Asia Pacific and Japan at cybersecurity firm Palo Alto Networks.

“Biometrics have much more value than anything else, because I can’t simply change my fingerprint at all, unlike passwords,” Duca said.

He also questioned why access to Wi-Fi information was necessary. If it’s the company’s Wi-Fi that the user is connected to, it will “become a very lucrative target for cybercriminals where they actually start to access this information,” Duca warned. “But why does an e-commerce provider really need it?”

What does Temu do?

Dubbed a copycat of fast fashion brand Shein, Temu is taking the US market by storm.

Just 17 days after its launch in September, the app surpassed Instagram, WhatsApp, Snapchat and Shein on the Apple App Store in the US, according to Apptopia data shared with CNBC. It launched in the UK in March, just weeks after it entered Australia and New Zealand.

The fact that Pinduoduo “requested even more permissions than the Temu app even though they appear to be a similar type of application seems overreaching to me,” Reed said.

“Pinduoduo is much more aggressive in collecting users’ information,” said Reed, who claimed the data was “obviously (transferred) back to the company.”

PDD Holdings did not respond to CNBC’s request for comment regarding those permits.

By comparison, the Temu app requests 24 permissions, Reed said. Some of these permissions include access to Bluetooth and Wi-Fi network information.

I’m less worried about the shopping apps than social media platforms like TikTok and Lemon8.

Lindsay Gorman

Senior fellow for emerging tech, German Marshall Fund

“There have been no reports of the malicious functionality found in official Play, App Store or third-party versions of Temu. The keys used to sign the Pinduoduo malware are not the same keys used to sign the Temu app,” said Daniel Thanos, vice president and director of Arctic Wolf Labs, the threat intelligence arm of cybersecurity firm Arctic Wolf.

“Based on our analysis, it appears that this malware is primarily targeting Chinese users, as it appears to target devices commonly sold and used in China such as Xiaomi, Vivo, Oppo, Samsung, etc, and their corresponding applications” , says Thanos. PDD Holdings did not immediately respond to CNBC’s request for comment.

Data risks

In a report on Chinese “fast fashion” platforms published in April, the US-China Economic and Security Review Commission accused Temu and Shein of posing possible data risks.

Shein and Temu “primarily rely on U.S. consumers to download and use Chinese apps to curate and deliver products,” the report said.

“These companies’ commercial success has encouraged both established Chinese e-commerce platforms and startups to copy their model, posing risks and challenges to US market access regulations, laws and principles,” it said.

Chinese-owned apps face intense scrutiny in the US due to security concerns. US lawmakers have warned that any Chinese app could be vulnerable to data breaches or interference from the Chinese government.

While politicians often accuse Chinese companies of handing over data to the Chinese government, there is no evidence to support such claims.

“But there’s also a bigger game here, which is that a lot of other apps that aren’t being talked about are also collecting information and have been for such a long time,” Duca said, noting that it’s more of a systemic problem.

Read more about tech and crypto from CNBC Pro

One analyst said she was less worried about shopping apps than social media platforms such as TikTok and its sister app Lemon8.

“From a national security standpoint, in addition to creating user profiles with all this data, social media platforms also have the ability to select, promote and demote content based on opaque metrics that we ultimately don’t really have insight into.” said Lindsay Gorman, senior fellow for emerging tech at the German Marshall Fund.

For shopping apps, the “real kind of content influence” could be Chinese companies promoting their products that “feel less of a threat to democracy,” Gorman said. Instead, social media apps can promote content about political topics that are much harder to track, she said.

TikTok is facing a possible ban in the US after its CEO Shou Zi Chew’s testimony before Congressthat failed to quell lawmakers’ concerns about the app’s ties to China or the appropriateness of Project Texas, its plan to store American data on American soil.

“ByteDance is not owned or controlled by the Chinese government. It is a private company,” Chew said during the hearing.

I don't think a suspension or ban of TikTok is needed, say analysts

In his first public interview since the congressional hearingsaid Chew at the TED2023 conference last week: “We’re building all the tools to prevent any of (Chinese government interference in US elections) from happening.”

He said he was “very confident” that risk can be reduced to as close to zero with the company as “very, very far” with Project Texas.

Another analyst, Glenn Gerstell, senior adviser at the Center for Strategic and International Studies, said these apps “are ultimately controlled by Chinese parties and that’s what the US political system will focus on.” Geopolitical tensions with China will continue to review Chinese apps.

“It may be that if we became more sophisticated we could separate one app from another and create a safer, more limited and controlled space. But right now we don’t have that system in place,” says Gerstell.