On March 31, 2026, the FBI dropped a public service announcement that should have been front-page news everywhere. It wasn’t a vague, bureaucratic suggestion. It was a direct warning to every American with a smartphone: many of the most popular apps in the country are funneling your personal data straight to servers in China, where the Chinese government can legally access it whenever it wants.
The announcement didn’t name specific apps. But cybersecurity reporters and government officials quickly connected the dots. The apps in question aren’t obscure. They’re on your phone right now. They’re on your kid’s phone. They’re on your mom’s phone. And the FBI is saying it’s time to pay attention.
The Apps You’re Probably Already Using
Let’s stop being coy about this. The apps that fit the FBI’s description include TikTok, CapCut, Temu, Shein, Lemon8, and the AI chatbot DeepSeek. According to Sensor Tower data, TikTok was the second most-downloaded app in America in 2025. CapCut, also owned by ByteDance, was fourth — climbing three spots from the year before. Temu’s gross merchandise value hit $27.4 billion in 2025, up nearly 22% year over year. Shein pulled in an estimated $14.6 billion in U.S. revenue the same year, up almost 17%.
These aren’t niche platforms. They’re apps that hundreds of millions of Americans use to shop for clothes, edit videos, scroll through memes, and ask AI chatbots to do their homework. And the FBI is now officially saying they pose a real data security risk.
Why China’s Laws Make This Different
Here’s the part most people miss. This isn’t about whether a specific app has been caught doing something shady (although some have — more on that in a minute). It’s about a structural legal problem that can’t be patched with a software update.
China’s national security laws require companies operating within the country to cooperate with government intelligence efforts. That’s not a conspiracy theory. It’s written into Chinese law. If an app maintains digital infrastructure in China — meaning its servers, its development team, or its corporate parent are based there — the Chinese government has a legal mechanism to demand user data. The FBI stated this directly in its advisory.
Some of these apps are pretty blunt about it, too. Their own terms of service say collected data is stored on servers in China for “as long as the developers deem necessary.” Some won’t even let you use the platform unless you consent to full data sharing, which makes the privacy settings page basically decorative.
They’re Collecting Way More Than You Think
Most people assume that if they deny an app permission to access their location or camera, the app respects that. The FBI says that’s not always the case. According to the advisory, some of these apps continuously collect data even when users only granted permission “while the app is active.” That means the app could be pulling your location data, your messages, and your microphone feed while sitting in the background doing nothing visible.
The default permissions are aggressive, too. With those defaults in place, these apps can harvest your entire contact list — names, phone numbers, email addresses, user IDs, and physical addresses. Not just your info. Everyone in your phone.
The FBI also flagged some warning signs that your device might already be compromised: unusual battery drain, unexpected spikes in data usage, and unauthorized activity on your accounts after installing a new app. If you’ve ever thought “why does my phone die so fast?” and recently downloaded a new app from a Chinese developer, that might not be a coincidence.
You Don’t Even Need the App to Be at Risk
This is the detail that genuinely surprised me. You might have never installed TikTok, Temu, or any of these apps — and your personal data could still be sitting on a server in China right now.
How? Because your friend did. Or your cousin. Or your coworker. When someone installs one of these apps and grants access to their contacts, the app can scoop up your name, phone number, email address, and physical address from that person’s phone. Your data gets collected and potentially stored overseas without your knowledge or consent. You never agreed to anything. You never even opened the app. But your information is gone.
U.S. intelligence officials have warned that this kind of data — scraped from millions of contact lists — can be used to build detailed profiles of Americans, map their personal and professional networks, and support intelligence-gathering efforts. That’s not a hypothetical. That’s the stated concern from people whose job it is to worry about this stuff.
DeepSeek Was Secretly Sending Data to ByteDance
If you needed a concrete example of why the FBI is worried, here’s a good one. South Korea’s Personal Information Protection Commission investigated DeepSeek, the Chinese AI chatbot that rocketed to the top of download charts, and discovered something alarming: DeepSeek was secretly sharing user data with ByteDance — TikTok’s parent company — without telling users or getting their consent.
South Korea pulled DeepSeek from app stores. Italy and Australia took action against it too. Meanwhile, in the U.S., Florida banned DeepSeek from the state’s Department of Financial Services. New York and Texas banned it from government devices and networks. The app had over one million downloads before anyone figured out what was happening behind the scenes.
This is exactly the kind of hidden data pipeline the FBI is warning about. The data doesn’t just stay with the app you installed. It can flow through corporate relationships you’d never know about unless a government investigator goes digging.
The Malware Risk Is Worse Than Data Collection
Data collection is one thing. Malware is another level entirely. The FBI’s advisory warns that some foreign-developed apps may contain “malicious code and hard-to-remove malware designed to exploit known vulnerabilities” in your phone’s operating system. According to the FBI’s description, this malware can install a backdoor that gives attackers escalated privileges on your device — meaning they can download and run additional malicious software, access your data, and maintain that access even when you think the app is closed or its permissions have been revoked.
This is a bigger threat on Android phones than iPhones, due to the openness of Android’s ecosystem and the common practice of sideloading — installing apps from outside the official Google Play Store. Google has started blocking installs from unknown developers, but the risk is still real for anyone who’s ever grabbed an app from a third-party website.
States Are Already Suing
The federal government isn’t the only one raising alarms. In February 2026, Texas Attorney General Ken Paxton filed lawsuits against both Shein and Temu. His statement on Shein was blunt: “Not only is Shein harming consumers with toxic synthetic materials, but it’s also exposing Americans’ data to Communist China.” He sued Temu over suspected ties to the Chinese Communist Party the same month.
Meanwhile, the TikTok saga resulted in a 2024 law requiring ByteDance to divest or face a ban. By early 2026, a deal created a new U.S. majority-owned joint venture involving Oracle, Silver Lake, and Emirati investor MGX. The FCC also announced a ban on new consumer routers made outside the United States — a sign the government is thinking about foreign tech risks well beyond just apps.
Americans Don’t Seem to Care — Yet
Here’s the uncomfortable truth. Despite congressional hearings, near-bans, lawsuits, and now a direct FBI warning, these apps are more popular than ever. TikTok defied everything thrown at it in 2025 and still ranked as the second most-downloaded app in the country. Temu and Shein grew by double digits. Even closing the “de minimis” trade loophole in May 2025 — which had let packages under $800 enter the U.S. duty-free and was a huge advantage for Chinese e-commerce platforms — didn’t slow them down much.
An associate professor at Miami University summed it up: “American consumers overall don’t really care about an app’s association with any specific country as long as they can find something they want at an affordable price.” That might be true. But the FBI clearly thinks the price is higher than what shows up at checkout.
What You Should Actually Do Right Now
The FBI isn’t saying delete every app made by a Chinese company. But they are saying you need to be a lot more careful than you probably are. Here’s their actual checklist, pulled directly from the advisory:
Only download apps from the Apple App Store or Google Play Store — never from third-party websites. Read the terms of service before you install anything (yes, actually read them). Disable unnecessary app permissions, especially access to your contacts, location, microphone, and camera. Use strong, unique passwords and consider a password manager. Keep your phone’s operating system and all apps updated to the latest versions.
Beyond the FBI’s list, go into your phone settings right now and audit which apps have access to what. On both iPhone and Android, you can review permissions app by app. If a shopping app has access to your microphone and contacts, that’s a problem. Remove any permission that isn’t absolutely required for the app to do its basic job.
And if you think your data has already been compromised, the FBI wants you to file a report at ic3.gov. Include the name of the app, where you installed it from, when you first used it, what data you think was exposed, and whether you’ve experienced any financial losses or identity theft.
The FBI doesn’t put out warnings like this for fun. When they tell you something’s a risk, it’s usually because they’ve already seen the damage.
