Arizona Sues Temu Over Covert Data Harvesting Claims

Arizona’s attorney general has filed a major lawsuit against Temu, accusing the popular shopping app of secretly harvesting sensitive device data, deceiving consumers, and counterfeiting iconic state brands.  

The complaint paints a picture of an app that allegedly behaves less like a retailer and more like covert spyware.

“We allege that Temu has repeatedly and willfully violated the Arizona Consumer Fraud Act and put the privacy of Arizonans, including minors, at extreme risk,” Attorney General Kris Mayes said in her announcement. 

She added, “Arizonans should be aware that behind Temu’s low prices and shiny advertising, there is real danger.” 

How Temu’s App May Collect Far More Than Purchases

Temu has rapidly become one of the most downloaded shopping apps in the United States, fueled by aggressive marketing and rock-bottom prices. 

Tens of millions of purchases flow through the platform each year, including shipments ordered and delivered in Arizona. 

But the lawsuit alleges that Temu’s mobile app goes far beyond tracking user purchases — it infiltrates users’ devices to collect highly sensitive data and masks its activity using techniques more commonly associated with malicious software.

The case underscores the risk of consumer apps operating with opaque data practices — especially those governed by jurisdictions with broad data-access laws.

Allegations Claim Temu Operates Like Mobile Spyware

According to the complaint, Temu’s mobile app is engineered to harvest far more information than a typical retail application. 

Once installed, the app allegedly gains unauthorized access to:

• Precise geolocation
• Microphone and camera functionality
• Activity within other installed apps
• Sensitive and personally identifiable information (PII)

A review of Temu’s codebase allegedly shows layers of encryption intended to evade inspection and even the ability for the app to alter its own code post-installation — behavior that mirrors tactics used in mobile spyware. 

These capabilities could enable Temu to exfiltrate user data or manipulate a device in ways that remain undisclosed and undetectable.

Compounding these concerns, Temu is wholly owned by a Chinese company and is therefore subject to Chinese national security laws, which mandate cooperation with state intelligence services. 

The complaint also alleges a pattern of deceptive and fraudulent commercial behavior, including:

• Shipping products that do not match advertised images
• Faking customer reviews
• Unauthorized purchases made using stored payment data
• Counterfeiting trademarks belonging to the Arizona Cardinals, Fender Guitars, and multiple state universities
• Charging for undelivered or unwanted goods
• Referral schemes that promise prizes that never materialize
• Use of forced labor within its supply chain

Essential Mobile Security Tips for Users and Organizations

With consumer apps increasingly accused of aggressive data harvesting, both individuals and organizations face a growing need to tighten mobile security habits. 

What individuals can do

• Review and minimize app permissions, especially camera, microphone, and location access.
• Delete apps that request unnecessary or invasive device privileges.
• Monitor financial accounts regularly for unauthorized transactions.
• Avoid linking social or email accounts to high-risk apps and use virtual card payments when possible.
• Keep devices updated and disable background activity for apps that don’t need it.

What organizations can do

• Enforce MDM policies, app allow-listing, and block installation of high-risk consumer apps on work devices.
• Deploy mobile threat defense tools to detect malicious behaviors and risky outbound connections.
• Use network controls to block suspicious domains, foreign services, or unauthorized data flows.
• Educate employees about the risks of using personal shopping apps on corporate or BYOD devices.
• Include mobile app privacy and data-handling reviews in vendor assessments and overall security governance.

By taking these steps, individuals and organizations can meaningfully reduce their exposure to data-harvesting apps and hidden mobile threats.

How Mobile Platforms Create Rising Privacy Risks

The Temu lawsuit highlights a growing tension between state-level consumer protection laws and globally dominant mobile platforms whose data practices remain opaque. 

As shopping, communication, and device functionality increasingly merge into a single mobile ecosystem, privacy risks rise — especially when apps operate under state-level surveillance mandates. 

The case underscores how quickly consumer apps can evolve into enterprise threats.

This shift makes zero-trust principles more essential than ever for reducing exposure across users, devices, and applications.