Skip to content 
Arizona Attorney General Kris Mayes has taken Temu to court, accusing the company of running a shopping app that quietly extracts sensitive data and hides how it operates.
The lawsuit, filed against Temu and PDD Holdings in Maricopa County Superior Court, points to behaviors the state says resemble spyware, including covert tracking, excessive permissions, and code built to avoid inspection.
Temu denies the allegations and says it plans to defend itself, but the case raises significant questions about what the app does on user devices and why the Attorney General believes it crosses the line under the Arizona Consumer Fraud Act.
Highlights
- Arizona accuses Temu of covert data harvesting, excessive permissions, and spyware-like behavior.
- The lawsuit highlights location tracking, app inventory collection, sensor access, and code that allegedly hides its operations.
- Arizona seeks major penalties under the Consumer Fraud Act, while Temu denies all claims.
- Users and IT teams are encouraged to limit permissions, use browser access, or block the app entirely.
Why Arizona Filed the Lawsuit
The Attorney General’s office says the Temu app gathers far more information than any normal retail service requires. In the state’s view, the collection is not only excessive but also hidden in ways that remove meaningful user control.
Arizona frames the alleged behavior as a combination of covert surveillance techniques, data exfiltration, and design choices that make inspection difficult even for trained analysts.
The lawsuit also folds in consumer fraud themes tied to product quality, billing issues, returns, counterfeit goods, and reviews. Still, the privacy allegations are the backbone of the filing.
The state argues that users cannot make informed choices when the app’s technical architecture masks what it is actually doing.
Temu states that the accusations are wrong. It says it follows normal privacy practices and intends to contest Arizona’s claims.
What Arizona Says The App Is Doing Behind The Scenes
Most retail apps ask for a small set of permissions. Arizona says the Temu app expands that list to a degree that invites serious privacy concerns. The AG’s office highlights several categories of behavior.
Sensor and Device Access That Extends Far Beyond Retail
The complaint focuses on several types of data:
- precise location
- microphone and camera access
- a complete list of apps installed on a user’s phone
- activity signals that reveal how a user interacts with other apps
- Wi-Fi-based location inference
- data from minors
None of these categories match what a simple shopping workflow requires. Arizona claims the collection is intentional, coordinated, and designed to stay out of sight.
Location Tracking Even When Permissions Shift
View this post on Instagram
One of the most specific claims involves Android manifest files. Arizona says that during part of 2023, Temu removed ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION from its manifest, which would normally suggest that the app no longer collects location data.
The complaint says location signals kept flowing anyway, inferred through other device pathways.
Later, the state says the location permissions were added back into the manifest. Arizona highlights the timing to support its view that the behavior did not align with typical permission patterns.
Surveillance-Style Access to Other Apps
The Attorney General says Temu collects a list of other apps installed on a device, along with metadata tied to user activity. That inventory can reveal sensitive habits.
A person’s app list can expose financial behavior, health conditions, dating patterns, political interests, and family routines.
Arizona argues that collecting this inventory is not necessary for selling low-cost consumer goods.
Microphone and Camera Hooks
Arizona describes access to the microphone and camera functions. The filing does not claim that Temu records users outright. Instead, it argues that such access has no retail purpose and expands risk in ways that users cannot reasonably evaluate.
Data Collection Involving Minors
The Attorney General’s press release emphasizes that minors are affected. That detail strengthens the harm analysis because many privacy rules treat minors as especially vulnerable.
Code Techniques That Arizona Calls “Spyware-Like”
Arizona uses loaded language here for a reason. The state is not only pointing to high-volume data collection. It argues that Temu uses tactics often associated with malware.
Obfuscation and Encryption Layers
The complaint says Temu’s code uses additional encryption layers and obfuscation techniques that make it difficult to analyze.
Obfuscation can serve legitimate purposes, but Arizona argues that the way it is applied here shields privacy-relevant operations from outside inspection.
Debugger Detection and Research Evasion
Arizona says the app detects rooted devices or debugging environments and alters its behavior to avoid inspection. Many malware samples use similar defensive measures to hide functionality from analysts.
Restricted Access to Older App Versions
The complaint states that Temu removes or limits access to old app builds in public archives. Analysts often compare versions to track how capabilities evolve. Arizona claims that limiting access prevents reliable verification.
Dynamic Patching With a Tool Named “Manwe”
Arizona describes a component called Manwe that lets the app modify its own behavior after installation.
The state argues that this undermines the value of App Store or Play Store review, because the reviewed code does not necessarily match the code that later runs on a user’s device.
From a legal standpoint, Arizona uses this argument to claim that user consent at installation is weakened. A user agrees to one version of the app, but receives another through post-install behavior changes.
Examples Of Alleged OS-Level Exploitation
Arizona highlights specific technical choices that, in its view, go far past retail needs.
Use of Android’s getRunningTasks
The complaint says Temu used getRunningTasks, a method that can expose activity information about other apps. Arizona links this to the claim that Temu collects app inventories and user behavior patterns.
Location Inference Through Wi-Fi Networks
The lawsuit explains that Wi-Fi networks can serve as location anchors because many access points have known coordinates.
When a phone sees those access points, location becomes traceable even when GPS permissions are not granted.
Arizona uses this point to argue that removing location permissions in the manifest did not actually protect users from location tracking.
The Pinduoduo Backstory And Why It Matters
Arizona links Temu to a broader history involving Pinduoduo, another app under PDD Holdings. In 2023, Pinduoduo faced serious scrutiny.
Google removed it from the Play Store while reviewing security issues. Independent security firms released findings describing malicious versions circulating outside official channels.
Arizona mentions this connection to suggest a pattern across apps tied to the same corporate ecosystem. The state argues that Temu shares design traits with Pinduoduo, including behaviors that evade platform oversight.
What Arizona Says Was Harmful
@abc15arizonaArizona Attorney General Kris Mayes has filed a lawsuit against a popular shopping app, alleging it steals user data and puts Arizona residents at risk. Mayes announced the lawsuit during a press conference on Tuesday, claiming Temu violates Arizona’s Consumer Fraud Act by collecting sensitive data without permission and counterfeiting brands.♬ original sound – ABC15Arizona
Arizona frames harm in three ways.
Harm Through Invisible Data Harvesting
Users cannot protect themselves when collection happens in hidden channels. The state says the app’s architecture makes it impossible for users to grasp the scope of extraction.
Harm Through Sensor Access
Sensor permissions can reveal intimate information. Location, microphone, and camera access create wide privacy exposure, particularly when paired with other device data.
Harm Through Minors’ Data
The complaint highlights minors specifically. That places Temu’s alleged conduct in a more serious category because many privacy frameworks treat minors as requiring heightened safeguards.
What Arizona Wants The Court To Do
Under the Arizona Consumer Fraud Act, the AG is asking for standard remedies plus civil penalties.
Requested Penalties and Actions
Arizona seeks:
- A permanent injunction that bars deceptive practices
- Restoration of money or property gained through unlawful conduct
- Disgorgement of profits
- Civil penalties of up to $10,000 per willful violation per defendant
- Reimbursement of state costs and attorneys’ fees
The scale of potential penalties depends on how the court interprets each alleged violation.
Temu’s Position And Multi-State Context
According to AP News, Temu denies the allegations. Public statements say the company rejects the claims and plans to defend itself. The company describes itself as a platform focused on affordability and consumer access.
Arizona is not alone. Attorneys general in Kentucky, Nebraska, and Arkansas have filed similar suits. That pattern signals state-level concern surrounding the app’s design, not a single flare-up.
Practical Takeaways For Everyday Users
Regardless of how the case ends, the allegations revolve around device-level risk. People who want to reduce exposure can take straightforward steps.
Safer Usage Approaches
- Use Temu through a web browser instead of the app
- Turn off location permissions
- Revoke microphone and camera permissions
- Restrict access to files, photos, and device identifiers
- Delete the app if you feel uncomfortable, and follow the guidance on deleting accounts
- Run a reputable malware scan that fits your device type
- Consider routing traffic through a trusted VPN provider such as CyberGhostVpn
What to Look Out for on Your Phone
Unusual device behavior can signal deeper issues. Watch for:
- Sudden battery drain
- Data usage spikes
- Microphone activation indicators
- Unexpected network connections
Practical Takeaways For Businesses And IT Teams
If a company manages phones for employees or students, consumer shopping apps introduce unnecessary risk.
Risk Reduction Strategies
- Block installation of discount shopping apps on managed devices
- Separate personal and work environments through profiles or containers
- Audit outbound network patterns to ensure sensitive systems remain isolated
- Use mobile device management to restrict sensor access
Key Allegations
| Allegation category | What Arizona claims | Why it matters | User-side mitigation |
| Covert location collection | Inference or collection even when permissions did not reflect it | Location reveals daily patterns and sensitive routines | Turn off location, use web checkout |
| Spyware hallmarks | Obfuscation, anti-analysis, concealed exfiltration | Hidden behavior blocks informed consent | Avoid app install or isolate it |
| Sensor access | Microphone and camera hooks | Sensitive content exposure | Revoke sensor permissions |
| App inventory collection | List of installed apps and activity | Profiling and targeting concerns | Use restricted permissions or a separate profile |
| Post-install modifications | Behavior changes via Manwe | Users cannot rely on what they installed | Avoid app or monitor device activity |
Summary
The complaint, filed yesterday by @AZAGMayes, alleges that Temu deceives customers in multiple ways after luring them in with hard-to-beat prices. https://t.co/ZLUv56mQkG
— Arizona Attorney General’s Office (@arizonaago) December 3, 2025
Arizona built a detailed narrative that portrays Temu as a high-risk app with covert data practices. Temu denies the claims and says it will defend its position.
The court will determine the outcome, but the allegations offer a reminder that mobile apps can operate with far more reach than their user interfaces suggest.
