Slashdot Mirror

← Back to Stories (view on slashdot.org)

Viral Chinese Selfie App Meitu, Valued at Over $5 Billion, Phones Home With Personal Data (theregister.co.uk)

Posted by msmash on from the security-woes dept.

The Meitu selfie horrorshow app going viral through Western audiences is a privacy nightmare, researchers say. The app, which has been featured on several popular outlets including the NYTimes, USA Today, and NYMag, harvests information about the devices on which it runs, includes invasive advertising tracking features and is just badly coded. From a report: But worst of all, the free app appears to be phoning some to share personal data with its makers. Meitu, a Chinese production, includes in its code up to three checks to determine if an iPhone handset is jailbroken, according to respected forensics man Jonathan Zdziarski, a function to grab mobile provider information, and various analytics capabilities. Zdziarski says the app also appears to build a unique device profile based in part on a handset's MAC address. "Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it," Zdziarski says. Unique phone IMEI numbers are shipped to dozens of Chinese servers, malware researcher FourOctets found. The app, which was valued at over $5 billion last year due its popularity, seeks access to device and app history; accurate location; phone status; USB, photos, and files storage read and write; camera; Wifi connections; device ID & call information; full network access, run at startup, and prevent device from sleeping on Android phones.

81 comments

  1. Da fuq?!! by Anonymous Coward · · Score: 2, Funny

    Selfie app valued at $5 billion? *head asplodes*

    1. Re:Da fuq?!! by Oswald+McWeany · · Score: 2

      And it's called "Meitu",

      Please tell me that's not pronounced "Me Too" (although that would be the perfect name for a narcissistic selfie app.

      --
      "That's the way to do it" - Punch
    2. Re:Da fuq?!! by Luthair · · Score: 1

      Isn't Snapchat valued at ~25 billion?

    3. Re:Da fuq?!! by Anonymous Coward · · Score: 0

      It's pronounced "Me Too".

    4. Re: Da fuq?!! by Anonymous Coward · · Score: 2, Insightful

      I read it as "My Too"

    5. Re:Da fuq?!! by Anonymous Coward · · Score: 0

      *head asplodes again*

    6. Re:Da fuq?!! by Mashiki · · Score: 3, Interesting

      Isn't Snapchat valued at ~25 billion?

      Yep. And people don't think this dotcom bubble is going to burst anytime soon either. Then you've got stuff like Uber valued at ~68B, and blowing through 2-7B/quarter in losses. Think on that one, at 68B, they have a higher market valuation then the big-3(GM, Ford, Chrysler) automakers. And they manufacture physical products, own their own credit financing divisions.

      My guess? We'll see that pop around the time that Canada's housing bubble pops. And anyone who thinks Canada isn't due for a massive housing price correction doesn't realize just how bad it is here. Here's a good kicker too, in Vancouver one of the really overly priced markets. The provincial government sets property taxes based on the "possible future valuation" of your property. There's people in industrial areas, who are going to see their property taxes go from $160k to over $1m this year and are looking to get the hell out.

      --
      Om, nomnomnom...
    7. Re:Da fuq?!! by ctilsie242 · · Score: 1

      The market might be like Austin, where the values are increasing because people from other countries are buying. Austin's values are shooting through the roof because of foreign investments, and those are not leaving anytime soon.

    8. Re: Da fuq?!! by The-Ixian · · Score: 4, Funny

      Yeah, me too

      --
      My eyes reflect the stars and a smile lights up my face.
    9. Re:Da fuq?!! by wardrich86 · · Score: 1

      Meitu thanks

    10. Re:Da fuq?!! by Anonymous Coward · · Score: 0

      Sure!!!

      The Chinese are buying up Austin, they want to feel right at home in a stateist/communist environment - And there is no better statist environment, than Austin, TX. Group think, no opinions other than doctrine are permitted/allowed. It's a little slice of Red China in the heart of Texas.

    11. Re:Da fuq?!! by Mashiki · · Score: 1

      That's exactly what it is. It's not happening in just a few places, if you want to see how bad this gets, look at Vancouver in Canada, or Victoria in Australia. Housing prices are way-way-way above what the average person can afford. In the case in Vancouver something like 60% of them are empty as well. It's so bad, that they instituted a "foreign buyers tax" to try and stop it from happening. It's worked, kind of but not very well. If anything it's simply pushed the problem to other markets. Even here in Southwestern Ontario we see it. People get priced out of Toronto, then they go move to Woodstock, Ingersoll, Aylmer and so on. The same problem starts to happen again, except that those folks in Woodstock, Ingersoll, Aylmer and so on are earning around 1/2 to 1/3 what those people in Toronto earn.

      --
      Om, nomnomnom...
    12. Re:Da fuq?!! by NotInHere · · Score: 1

      Nobody cares whether bubble or not because of the gigantic growth in SV. Even if some valuation is overpriced, the company is expected to outgrow it, which is precisely the reason why its so overpriced in the first place. Uber is the Amazon of the taxi industry, and Amazon in fact survived the first dot com bubble.

      These companies expand into a gigantic market with almost no competitors (and with a regulatory body that allows deals like the one struck in China where they simply gave up competing) and therefore have lots of growth ahead of them. The car companies on the other hand are fairly stagnant, and in fact may be challenged in the future by self driving and electric vehicle technology, by competitors who have a head start on this like Tesla, or by competitors who have lower production AND R&D costs AND gigantic amounts of capital behind them like the ones based in Asia.

      Plus, new companies like Tesla can build gigantic highly automated factories from scratch, while existing car companies would have to do layoffs to get similar cost reductions, but such layoffs are met by opposition from politics and unions. And last but not least, there is always internal opposition in such a traditional car company to do radical innovation, because it often bears a risk or out of general slower movement.

    13. Re:Da fuq?!! by LynnwoodRooster · · Score: 1

      It's not. It's pronounced "may too".

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    14. Re:Da fuq?!! by Anonymous Coward · · Score: 0

      It's not. It's pronounced "may too".

      "may too" phoenetically to me sounds like it would translate to "American Dirt" depending on inflection.

    15. Re:Da fuq?!! by Anonymous Coward · · Score: 0

      And there is no better statist environment, than Austin, TX.

      Says the guy who's obviously never visited northern California, the Pacific Northwest, or anywhere on the eastern seaboard north of, say, Washington DC?

    16. Re:Da fuq?!! by Desler · · Score: 1

      And yet it's still better than living in most of the shitburg small towns in Texas.

    17. Re:Da fuq?!! by SirSlud · · Score: 1

      Foreign ownership numbers in Toronto are relatively low. A lot of things you're saying are kinda the super simple story version of reality ..

      --
      "Old man yells at systemd"
  2. Blame China! by Anonymous Coward · · Score: 1

    It's almost as if this story doesn't want to admit the NSA is also doing the same thing?

    1. Re:Blame China! by Anonymous Coward · · Score: 0

      Tu quoque.

    2. Re:Blame China! by Anonymous Coward · · Score: 0

      But this one you sign up for. And let's face it, as bad as the NSA is, China is 50x worse because they actively use information to censor people and go after them. While white, black, and Hispanic Americans have less to fear, Chinese-Americans have plenty as China has been using their power to distance them from family back in China and otherwise make their lives difficult:
      https://www.nytimes.com/2016/08/28/world/americas/chinese-canadians-china-speech.html

      For all the complaining the NSA and USA are Big Brother, China is far, far better at it and far more invasive with their information. The USA seems to be all in on terrorism and cares about little else. China wants to make sure you don't say bad things about Fearless Leader (R).

    3. Re:Blame China! by arth1 · · Score: 1

      I'm not worried about NSA or the Chinese government nearly as much as I am worried about corporations. While a government agency may or may not have good or bad intentions, in varying degrees, we know the concern of corporations is purely how much they can squeeze out of people. There's not even a chance that they have your best interest at heart. If they can get your data, and that data even gives them a microscopic push towards higher profits, they will collect and use it.

      American, Chinese and Russian government agencies are bad. Corporations are worse.

    4. Re:Blame China! by gnick · · Score: 1

      There's not even a chance that they have your best interest at heart.

      If they didn't have our best interest at heart, why would they give us this application for free? Surely you don't mean to imply that even free apps are financially motivated!

      TANSTAAFL. Some people miss this. If somebody's giving something away for free, find their angle.

      --
      He's getting rather old, but he's a good mouse.
    5. Re:Blame China! by Anonymous Coward · · Score: 0

      I don't see people disappearing off the streets because the NSA discovered the person's skeletons. China, OTOH, it is said that dissidents have a tendency to disappear, and wake up in pieces, Larry Niven style...

    6. Re:Blame China! by Dutch+Gun · · Score: 1

      Most corporations exist to earn a profit, and if you're the customer instead of a product, and if there's a healthy market, they at least have to compete for your business. Things tend to get screwed up when you're the product instead of a customer (when anything is *free* from a corporation, watch out), or when there's no real competition (cable/ISPs), then things tend to really go bad.

      It also really depends on how they go about making that profit. Done well, it's a mutually beneficial transaction in which all parties involved can benefit. Done badly, it can certainly be exploitative and evil. I don't think it's a good idea to lump them all together any more than it is for people.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    7. Re:Blame China! by BarbaraHudson · · Score: 1

      It's almost as if this story doesn't want to admit the NSA is also doing the same thing?

      Nah, it's SOP. Of course it's worth that much specifically because it steals all your data.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    8. Re:Blame China! by Anonymous Coward · · Score: 0

      For all the complaining the NSA and USA are Big Brother, China is far, far better at it and far more invasive with their information

      China is just more up front about it because it's people really have no say in the matter. Also, we're more informed about it because we are NOT the Chinese people.

      If the USA were as transparent about what it does, there would be revolt and a call for action for change from the American people. Instead it's just watered down drivel under the pretence of terrorism.

  3. I didn't know by Anonymous Coward · · Score: 0

    China makes jewish app now.

    1. Re:I didn't know by Anonymous Coward · · Score: 0

      What kinds of jewish apps are like this? Maybe you meant china makes crooked white person app?

  4. If Microsoft does it, it must be good! by Anonymous Coward · · Score: 1

    Microsoft does this with Windows 10, so what's wrong with selfie apps doing it?

  5. So, pretty much like everything else? by Anonymous Coward · · Score: 0, Informative

    Windows, macOS, iOS, Android, most of your million-users-plus apps, whatever. Everything you use today phones home and collects user info. Stop trying to make it into yet another "you can't trust the Chinese" thing. The Slashdot mill needs to stop churning out dishonest bullshit like this, and get back to what it used to be.

    1. Re:So, pretty much like everything else? by Anonymous Coward · · Score: 0

      [citation needed]

    2. Re:So, pretty much like everything else? by Desler · · Score: 1

      Outside of Spotlight suggestions, which can verifiably be disabled, how does macOS phone home exactly?

    3. Re:So, pretty much like everything else? by Anonymous Coward · · Score: 0

      All apps try to dump as much data as possible. Even a generic fleshlight app wants access to contacts, phone status, pictures, music library, and everything else.

    4. Re:So, pretty much like everything else? by Anonymous Coward · · Score: 0

      Get Little Snitch and watch as ** every ** app sends data to anywhere and everywhere. Adobe and Autodesk manage to try to talk to more than a dozen servers each. Some are needed for authorization (it is 2017 after all, can't just sell the software) and some are needed for who-the-hell-knows.

      Even good ol Apple itself wants to talk to your little un-PC.

    5. Re:So, pretty much like everything else? by Anonymous Coward · · Score: 0

      Nobody gives (or should be bothered to give) citations to anonymous cowards. Might as well be talking to the walls.

    6. Re:So, pretty much like everything else? by TheFakeTimCook · · Score: 1

      Get Little Snitch and watch as ** every ** app sends data to anywhere and everywhere. Adobe and Autodesk manage to try to talk to more than a dozen servers each. Some are needed for authorization (it is 2017 after all, can't just sell the software) and some are needed for who-the-hell-knows.

      Even good ol Apple itself wants to talk to your little un-PC.

      How is Apple responsible for what Adobe, AutoDesk, et al, do?

      And I notice that you are, of course, quite vague with regard to Apple's activities in this area, as you cannot actually cite verifiable examples, instead just disparaging them with a ridiculous, snarky little comment at the end.

    7. Re:So, pretty much like everything else? by Anonymous Coward · · Score: 0

      Even a generic fleshlight app wants access to contacts, phone status, pictures, music library, and everything else.

      I can think of plenty of reasons why a fleshlight app would want to access all of that stuff - you could build social and location-based services around jacking off:

      1) "There are 7 other people jacking off within 250 meters of your location. Want to give or get a hand?"
      2) "Your buddy Mike has just started jacking off. Want to like his status?"
      3) "Want to record this JO session to share to Fetlife?"
      4) "Would you like to listen to some sexy music to jerk it to?"

      Fuck, I'd probably buy that app.

    8. Re: So, pretty much like everything else? by Anonymous Coward · · Score: 0

      Mod up funny.

  6. Lying by Anonymous Coward · · Score: 0

    I own no smartphone -- yet.

    But I assure you: one buy criterion will be that the OS be capable to lie to the apps when providing info (location, date & time, hardware, IMEI, other apps, versions, you name it).

    The default will be "random data".

    1. Re:Lying by ctilsie242 · · Score: 1

      xPrivacy used to do exactly that, but it (and the XPosed framework) seems not to have been updated in years.

    2. Re:Lying by Anonymous Coward · · Score: 0

      You won't be buying a smartphone anytime soon. Or at least you won't be turning it on....

    3. Re: Lying by Anonymous Coward · · Score: 0

      Xposed is constantly being worked on but only available for versions up to and including Marshmallow at the moment.

      https://forum.xda-developers.com/showthread.php?t=3034811

      Xprivacy is crap compared to PMP.

      http://repo.xposed.info/module/org.synergylabs.pmpandroid

      You'll also be wanting AFWall+

      https://forum.xda-developers.com/showthread.php?t=1957231

  7. We deserve what we get. by geekmux · · Score: 1, Insightful

    "...includes in its code up to three checks to determine if an iPhone handset is jailbroken..."

    When the code looks to sniff out less-than-legitimate activity, it tends to make you wonder who paid them to write it.

    "Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it.

    At least we're finally being honest about what it takes to grab the attention span of the average idiot consumer.

    As ignorant as people are about privacy and security, I'm starting to believe we deserve what we get when it comes to solutions.

    1. Re: We deserve what we get. by Anonymous Coward · · Score: 0

      It helps when MSM like the NY Times legitimizes and promotes the spyware app. The consumer feels he can trust what the Journal of Record endorses. Until either the Times tech editor learns about security or all trust in the Times is eroded, the journalists need to bear some blame that you've assigned the idiot consumer.

      That said, how did this pass Apple's App Store vetting? Isn't the point of walling off the garden to prevent shit like this?

    2. Re: We deserve what we get. by DontBeAMoran · · Score: 1

      The question is, does Apple have the same verifications and checks in place in every country? I'd bet the Apple App Store in China has to let "government-approved" apps on the store.

      --
      #DeleteFacebook
    3. Re: We deserve what we get. by geekmux · · Score: 1

      It helps when MSM like the NY Times legitimizes and promotes the spyware app. The consumer feels he can trust what the Journal of Record endorses. Until either the Times tech editor learns about security or all trust in the Times is eroded, the journalists need to bear some blame that you've assigned the idiot consumer.

      I would agree in assigning burden. The journalists working for the MSM are also part of the same group of idiots. The main difference is the additional factor of greed, since they get paid to promote ignorance and falsehoods. Dumb as a fox? Perhaps. This might also explain how so much fake news has managed to "leak" into MSM. They get paid to promote facts or bullshit, since all it takes to generate revenue is hype these days.

      That said, how did this pass Apple's App Store vetting? Isn't the point of walling off the garden to prevent shit like this?

      Since part of the code was specifically designed to sniff out jailbroken iPhones, I guess that depends on who ultimately benefits from spyware-riddled software being approved. Greed can turn a blind eye to a lot.

    4. Re:We deserve what we get. by rwa2 · · Score: 2

      A Meitu spokesman actually replied to the ArsTechnica article on this:
      http://arstechnica.com/securit...

      Since they're a Chinese company, they have to collect their own user data since they don't have access to user data from the Apple / Google stores. So they likely have less info about you than most Western app devs.

      I installed Meitu on an Android 7.1 device yesterday. It only asks for device permissions as it needs them. I denied giving it access to my phone functions and the app works fine without that telemetry. But if you're really paranoid, go ahead and play with it in Andyroid or something.

    5. Re: We deserve what we get. by Anonymous Coward · · Score: 0

      True.
      You are right.

  8. Joker by Anonymous Coward · · Score: 0

    So Facebook does the same and nobody bats an eye.

  9. Damn copycats by Opportunist · · Score: 1

    Typically Chinese, they can't come up with anything themselves, all they can is copy our successful products!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Damn copycats by Anonymous Coward · · Score: 0

      While I hate Meitu and would never use it for various reasons, if you are claiming they copy Snapchat (released in 2011) or something along the line you would be off. Meitu was initially released in 2008 and advertised as an easy-to-use Photoshop replacement with emphasis on portrait editing. The name literally means "beautiful picture" and only natural to evolve to be more selfie-focused with popularity of cellphone cameras.

  10. Of course it does... by Anonymous Coward · · Score: 0

    Anything made in china phones home.

  11. Regulation by Luthair · · Score: 1

    As has historically been shown companies will not behave in a reasonable manner unless forced to via regulation. We need to reset the bar in terms of the data that companies can collect and retain.

  12. Time to block ads again by Anonymous Coward · · Score: 0

    Just got redirected from slashdot to https://feimewheatbellyblog.or... for a "critical chrome update download now!"

  13. ZOMG!!! CHINEESE SERVERS!!! by Anonymous Coward · · Score: 0

    I looked at the privacy policy and the permissions on Google Play and this app doesn't do ANYTHING that a million other apps do as well. People need to calm the fuck down.

  14. Remember: China is Bad, Russia is Good. by Anonymous Coward · · Score: 0

    Pay no attention to the orange man behind the curtain.

  15. Not so much for iOS by radish · · Score: 2

    It's worth pointing out that iOS doesn't allow apps to access the MAC, IMEI or any other persistent unique ID field (for just this reason). There is a unique ID field designed for apps to use for device identification but it is generated by the device on a per application basis, so it cannot be correlated with other apps. It also changes if you reinstall the app. Both of these facts make it fairly useless for nefarious purposes.

    --

    ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

    1. Re:Not so much for iOS by Anonymous Coward · · Score: 0

      Why is that worth pointing out? What does that have to do with this story?

    2. Re:Not so much for iOS by TheFakeTimCook · · Score: 1

      It's worth pointing out that iOS doesn't allow apps to access the MAC, IMEI or any other persistent unique ID field (for just this reason). There is a unique ID field designed for apps to use for device identification but it is generated by the device on a per application basis, so it cannot be correlated with other apps. It also changes if you reinstall the app. Both of these facts make it fairly useless for nefarious purposes.

      Good point!

    3. Re:Not so much for iOS by Anonymous Coward · · Score: 0

      It is actually quite relevant to someone who has finished reading the summary, since the article talks about this app that tries to see if the *iPhone* is jailbroken and this company Meitu which uses the *MAC* address to create unique identifiers for the devices.

      Maybe Android users are not used to this, but most iOS users are generally feeling pretty safe knowing apps cannot get the sort of access described in the article on a vanilla (non-jailbroken) OS.

  16. At least it doesn't install Windows 10 by Anonymous Coward · · Score: 0

    Double whammy.

  17. Well by DaMattster · · Score: 1

    I'm not a millennial so I'm behind the times when it comes to apps. I've never heard of this Chinese Communist selfie app but it doesn't take an app to do a selfie. You've got an Android or iPhone builtin app to do it for you. It even lets you easily share it to Facebook. Who the hell really needs an add-on selfie app?

    1. Re:Well by Lirodon · · Score: 2

      I'm not a millennial so I'm behind the times when it comes to apps. I've never heard of this Chinese Communist selfie app but it doesn't take an app to do a selfie. You've got an Android or iPhone builtin app to do it for you. It even lets you easily share it to Facebook. Who the hell really needs an add-on selfie app?

      because of filters and stickers and editing stuff

    2. Re:Well by TheFakeTimCook · · Score: 1

      I'm not a millennial so I'm behind the times when it comes to apps. I've never heard of this Chinese Communist selfie app but it doesn't take an app to do a selfie. You've got an Android or iPhone builtin app to do it for you. It even lets you easily share it to Facebook. Who the hell really needs an add-on selfie app?

      because of filters and stickers and editing stuff

      IOW, stuff that should only be of interest to anyone 12 years old and under, and then, only for about a week.

    3. Re:Well by squiggleslash · · Score: 1

      It does some interesting things to your (or Julian Assange's) selfies.

      --
      You are not alone. This is not normal. None of this is normal.
  18. Sounds like an app Google made by Anonymous Coward · · Score: 0

    "Harvests information", "Invasive advertising tracking features", "Privacy nightmare", "Poorly coded". Yup, that's a google app.

  19. "Me Too" is right by Anonymous Coward · · Score: 0

    "Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it."

    This seems to be a pretty accurate description of every cellphone made anywhere.

  20. So does your Samsumg email app... by Anonymous Coward · · Score: 0

    Just check what goes to mail servers in User-Agent as ActiveSync ID. Spoiler - it is your phone's serial number and IMEI.

  21. So just another normal app then by Anonymous Coward · · Score: 0

    I mean seriously, why is this even news?

    1. Re:So just another normal app then by Anonymous Coward · · Score: 0

      I mean seriously, why is this even news?

      I was wondering the same thing. If it didn't phone home it wouldn't be worth $5 billion - or now should it be worth more?

  22. No surprises here by thunderclees · · Score: 1

    Should anyone be surprised about something like this?

    Certainly the PRC has realized that the various spook+corps around the globe pay for dirt

    1. Re:No surprises here by Anonymous Coward · · Score: 0

      Well Google and the Internet as whole has been collecting information on users for a good 15 years. Most big apps and operating systems do the same, so yeah I agree, obviously this is just F.U.D and anti-Chinese talk.

  23. Firewalling? by aglider · · Score: 1

    Why not firewalling that out? One could install a local firewall app (root likely required) to block all that traffic!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
    1. Re:Firewalling? by Anonymous Coward · · Score: 0

      How do you intend to firewall data shared over the cellular network?

    2. Re: Firewalling? by Anonymous Coward · · Score: 0

      Same I block any app from accessing the network via WiFi.

      https://forum.xda-developers.com/showthread.php?t=1957231

  24. Have we not learned the lesson yet? by Anonymous Coward · · Score: 0

    Considering the trend over the past few years it's almost like Chinese software/hardware should be vetted by foreign agencies before allowing them to go to their market places no?

  25. All permissions is the default with Chinese apps by ukoda · · Score: 1

    When I lived on China I occasionally looked at installing Chinese apps, via Play Store, when mandatory for things such as banking. They typically demand app permissions for everything, including stuff that had no relevance to the purported application. I know from working with my team of developers in China they don't dig into options, if a solution works they move on to the next thing. If ticking 'All permissions' make the app work my team would chose that unless I told them to spend more time and work out what is really needed. Therefore when presented with a Chinese app that wants all permissions I was never sure if it was a lazy app developer or overreach of the company developing the app. I refused to install these apps unless it was absolutely critical to my needs, such as getting paid.

  26. What do you think ... by allo · · Score: 1

    ... why they are valued $5 billion?

  27. Why am I not surprised? by sentiblue · · Score: 1

    Phucking chinese .... from small cheese app developers to big corporations like Lenovo... they all steal personal data... yet they don't get banned from the US.