Meitu, a Chinese photo-retouching app that gives your selfies anime-style makeovers, is wildly popular in the U.S. this month, but experts warn it could do more than just make you hauntingly adorable.
Besides smoothing your skin, adding color to your eyes and surrounding you with an angelic glow (in the photo, of course, not real life), Meitu requests far more permissions than it needs on your smartphone, and may be tracking you and sending your personal information back to China. The best Android antivirus apps won't help you with that.
"Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it," security analyst Jonathan Zdziarski wrote on Twitter.
Meitu creates a unique profile based on your device, takes note of your cellular carrier and collects location data from your phone and EXIF data from photos.
According to security researcher FourOctets, the app sends the phone's IMEI number, a unique identity code, to servers in China.
In short, Meitu is a front for collecting advertising data. The Android version of Meitu seeks the following permissions, even though it should arguably need access only to the camera and photos:
- Device and app history
- Approximate location
- Phone status
- USB, photos, and files storage read and write
- Wi-Fi connections
- Device ID & call information
- Full network access
- Change audio settings
- Run at startup
- Prevent device from sleeping
To be fair, that's fewer than what many free Android apps request (check out the permissions requested by Facebook Messenger if you want a real scare), and Android Marshmallow and later let you opt of out app permissions one-by-one.
Nevertheless, you may be safer using the Meitu app on iOS than on Android. While Zdziarski says the app checks up to three times to see if your iPhone is jailbroken (which would make it far less secure than one that is not), another researcher, Will Strafach, writes that IMEI and MAC addresses aren't available to apps on iOS, making it impossible for Meitu to collect that data.
Meitu isn't new, but it only recently went viral in the United States, bringing more attention from security researchers and Instagram addicts alike. Also not new: apps trying to collect your data to send to advertisers. This app is just getting attention because of its viral fame.
Still, you may want to avoid it, especially on Android, if you don't want to be tracked. If you want an anime makeover, you're best off doing it on your own in Photoshop.