Often, an app or game finds its way onto almost everybody’s phone. Sometimes you’d get it too just to see what all the fuzz is about. Like Pokemon Go or Prisma. Meitu is a similar viral sensation thanks to the massive coverage it has received online and because who wouldn’t want to instantly give themselves or their favourite politicians and celebs a Japanese-anime inspired makeover, and with the world?
But if you are one of those, it’s time to uninstall Meitu.
Meitu is asking for an awful lot of your data in exchange for the lolz — and the app also seems to contain some rather suspicious code. It was found today to be sending IMEI numbers to several China-based digital locations. That alone isn’t enough to do a whole lot, but given the massive amount of permissions the app seeks (and is granted) when it’s installed, the app has effectively given someone in China the ability to take control of the phone it’s installed on.
Meitu asks for a total of at least twenty-three permissions, together with full community entry, the flexibility to alter settings, actual location, MAC tackle, native IP, and more. The skin smoothing, eye brightening selfie app (previously called Meitu XiuXiu or MeituPic) has been around for years, but has become incredibly popular outside of its native Chinese market only in the past few days. According to the app, Meitu’s ‘drawing selfies’ — the very heavily made-over photos, complete with cartoonish filters and reworked backgrounds and visual effects like flowers and tear drops — have been activated over 118 million times by the app’s users.
While it is possible the developers behind the app do not mean any harm or to do anything malicious with this data collection but the potential for such unsavory actions is too high to ignore here. Many people don’t even trust Microsoft or Google with such data.
If you’re an iPhone user reading this, and smiling at how Android security sucks, iOS devices aren’t very safe either.
According to Jonathan Zdziarski, a security researcher who often digs into apps like this, the iPhone version of the app is quietly checking to see whether your phone is jailbroken (because that’s not creepy at all), which cellular carrier you’re using, and is even potentially able to uniquely identify your device using the hardware MAC address of your phone.
The presence of code for sending several details about the device for analytics was found first by Twitter user @rekrom12 while another twitter user @FourOctets intercepted the app’s network activity, linking it to several Chinese IP addresses. Android Police too confirms the presence of the unwanted code.
All in all, it’d be better to let go of your new and cute photo editing app until things are sorted out.