Slashdot Mirror

← Back to Stories (view on slashdot.org)

Viral Chinese Selfie App Meitu, Valued at Over $5 Billion, Phones Home With Personal Data (theregister.co.uk)

Posted by msmash on from the security-woes dept.

The Meitu selfie horrorshow app going viral through Western audiences is a privacy nightmare, researchers say. The app, which has been featured on several popular outlets including the NYTimes, USA Today, and NYMag, harvests information about the devices on which it runs, includes invasive advertising tracking features and is just badly coded. From a report: But worst of all, the free app appears to be phoning some to share personal data with its makers. Meitu, a Chinese production, includes in its code up to three checks to determine if an iPhone handset is jailbroken, according to respected forensics man Jonathan Zdziarski, a function to grab mobile provider information, and various analytics capabilities. Zdziarski says the app also appears to build a unique device profile based in part on a handset's MAC address. "Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it," Zdziarski says. Unique phone IMEI numbers are shipped to dozens of Chinese servers, malware researcher FourOctets found. The app, which was valued at over $5 billion last year due its popularity, seeks access to device and app history; accurate location; phone status; USB, photos, and files storage read and write; camera; Wifi connections; device ID & call information; full network access, run at startup, and prevent device from sleeping on Android phones.

39 of 81 comments (clear)

  1. Da fuq?!! by Anonymous Coward · · Score: 2, Funny

    Selfie app valued at $5 billion? *head asplodes*

    1. Re:Da fuq?!! by Oswald+McWeany · · Score: 2

      And it's called "Meitu",

      Please tell me that's not pronounced "Me Too" (although that would be the perfect name for a narcissistic selfie app.

      --
      "That's the way to do it" - Punch
    2. Re:Da fuq?!! by Luthair · · Score: 1

      Isn't Snapchat valued at ~25 billion?

    3. Re: Da fuq?!! by Anonymous Coward · · Score: 2, Insightful

      I read it as "My Too"

    4. Re:Da fuq?!! by Mashiki · · Score: 3, Interesting

      Isn't Snapchat valued at ~25 billion?

      Yep. And people don't think this dotcom bubble is going to burst anytime soon either. Then you've got stuff like Uber valued at ~68B, and blowing through 2-7B/quarter in losses. Think on that one, at 68B, they have a higher market valuation then the big-3(GM, Ford, Chrysler) automakers. And they manufacture physical products, own their own credit financing divisions.

      My guess? We'll see that pop around the time that Canada's housing bubble pops. And anyone who thinks Canada isn't due for a massive housing price correction doesn't realize just how bad it is here. Here's a good kicker too, in Vancouver one of the really overly priced markets. The provincial government sets property taxes based on the "possible future valuation" of your property. There's people in industrial areas, who are going to see their property taxes go from $160k to over $1m this year and are looking to get the hell out.

      --
      Om, nomnomnom...
    5. Re:Da fuq?!! by ctilsie242 · · Score: 1

      The market might be like Austin, where the values are increasing because people from other countries are buying. Austin's values are shooting through the roof because of foreign investments, and those are not leaving anytime soon.

    6. Re: Da fuq?!! by The-Ixian · · Score: 4, Funny

      Yeah, me too

      --
      My eyes reflect the stars and a smile lights up my face.
    7. Re:Da fuq?!! by wardrich86 · · Score: 1

      Meitu thanks

    8. Re:Da fuq?!! by Mashiki · · Score: 1

      That's exactly what it is. It's not happening in just a few places, if you want to see how bad this gets, look at Vancouver in Canada, or Victoria in Australia. Housing prices are way-way-way above what the average person can afford. In the case in Vancouver something like 60% of them are empty as well. It's so bad, that they instituted a "foreign buyers tax" to try and stop it from happening. It's worked, kind of but not very well. If anything it's simply pushed the problem to other markets. Even here in Southwestern Ontario we see it. People get priced out of Toronto, then they go move to Woodstock, Ingersoll, Aylmer and so on. The same problem starts to happen again, except that those folks in Woodstock, Ingersoll, Aylmer and so on are earning around 1/2 to 1/3 what those people in Toronto earn.

      --
      Om, nomnomnom...
    9. Re:Da fuq?!! by NotInHere · · Score: 1

      Nobody cares whether bubble or not because of the gigantic growth in SV. Even if some valuation is overpriced, the company is expected to outgrow it, which is precisely the reason why its so overpriced in the first place. Uber is the Amazon of the taxi industry, and Amazon in fact survived the first dot com bubble.

      These companies expand into a gigantic market with almost no competitors (and with a regulatory body that allows deals like the one struck in China where they simply gave up competing) and therefore have lots of growth ahead of them. The car companies on the other hand are fairly stagnant, and in fact may be challenged in the future by self driving and electric vehicle technology, by competitors who have a head start on this like Tesla, or by competitors who have lower production AND R&D costs AND gigantic amounts of capital behind them like the ones based in Asia.

      Plus, new companies like Tesla can build gigantic highly automated factories from scratch, while existing car companies would have to do layoffs to get similar cost reductions, but such layoffs are met by opposition from politics and unions. And last but not least, there is always internal opposition in such a traditional car company to do radical innovation, because it often bears a risk or out of general slower movement.

    10. Re:Da fuq?!! by LynnwoodRooster · · Score: 1

      It's not. It's pronounced "may too".

      --
      Browsing at +1 - no ACs, I ignore their posts. So refreshing!
    11. Re:Da fuq?!! by Desler · · Score: 1

      And yet it's still better than living in most of the shitburg small towns in Texas.

    12. Re:Da fuq?!! by SirSlud · · Score: 1

      Foreign ownership numbers in Toronto are relatively low. A lot of things you're saying are kinda the super simple story version of reality ..

      --
      "Old man yells at systemd"
  2. Blame China! by Anonymous Coward · · Score: 1

    It's almost as if this story doesn't want to admit the NSA is also doing the same thing?

    1. Re:Blame China! by arth1 · · Score: 1

      I'm not worried about NSA or the Chinese government nearly as much as I am worried about corporations. While a government agency may or may not have good or bad intentions, in varying degrees, we know the concern of corporations is purely how much they can squeeze out of people. There's not even a chance that they have your best interest at heart. If they can get your data, and that data even gives them a microscopic push towards higher profits, they will collect and use it.

      American, Chinese and Russian government agencies are bad. Corporations are worse.

    2. Re:Blame China! by gnick · · Score: 1

      There's not even a chance that they have your best interest at heart.

      If they didn't have our best interest at heart, why would they give us this application for free? Surely you don't mean to imply that even free apps are financially motivated!

      TANSTAAFL. Some people miss this. If somebody's giving something away for free, find their angle.

      --
      He's getting rather old, but he's a good mouse.
    3. Re:Blame China! by Dutch+Gun · · Score: 1

      Most corporations exist to earn a profit, and if you're the customer instead of a product, and if there's a healthy market, they at least have to compete for your business. Things tend to get screwed up when you're the product instead of a customer (when anything is *free* from a corporation, watch out), or when there's no real competition (cable/ISPs), then things tend to really go bad.

      It also really depends on how they go about making that profit. Done well, it's a mutually beneficial transaction in which all parties involved can benefit. Done badly, it can certainly be exploitative and evil. I don't think it's a good idea to lump them all together any more than it is for people.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:Blame China! by BarbaraHudson · · Score: 1

      It's almost as if this story doesn't want to admit the NSA is also doing the same thing?

      Nah, it's SOP. Of course it's worth that much specifically because it steals all your data.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  3. If Microsoft does it, it must be good! by Anonymous Coward · · Score: 1

    Microsoft does this with Windows 10, so what's wrong with selfie apps doing it?

  4. Re:So, pretty much like everything else? by Desler · · Score: 1

    Outside of Spotlight suggestions, which can verifiably be disabled, how does macOS phone home exactly?

  5. We deserve what we get. by geekmux · · Score: 1, Insightful

    "...includes in its code up to three checks to determine if an iPhone handset is jailbroken..."

    When the code looks to sniff out less-than-legitimate activity, it tends to make you wonder who paid them to write it.

    "Meitu is a throw-together of multiple analytics and marketing/ad tracking packages, with something cute to get people to use it.

    At least we're finally being honest about what it takes to grab the attention span of the average idiot consumer.

    As ignorant as people are about privacy and security, I'm starting to believe we deserve what we get when it comes to solutions.

    1. Re: We deserve what we get. by DontBeAMoran · · Score: 1

      The question is, does Apple have the same verifications and checks in place in every country? I'd bet the Apple App Store in China has to let "government-approved" apps on the store.

      --
      #DeleteFacebook
    2. Re: We deserve what we get. by geekmux · · Score: 1

      It helps when MSM like the NY Times legitimizes and promotes the spyware app. The consumer feels he can trust what the Journal of Record endorses. Until either the Times tech editor learns about security or all trust in the Times is eroded, the journalists need to bear some blame that you've assigned the idiot consumer.

      I would agree in assigning burden. The journalists working for the MSM are also part of the same group of idiots. The main difference is the additional factor of greed, since they get paid to promote ignorance and falsehoods. Dumb as a fox? Perhaps. This might also explain how so much fake news has managed to "leak" into MSM. They get paid to promote facts or bullshit, since all it takes to generate revenue is hype these days.

      That said, how did this pass Apple's App Store vetting? Isn't the point of walling off the garden to prevent shit like this?

      Since part of the code was specifically designed to sniff out jailbroken iPhones, I guess that depends on who ultimately benefits from spyware-riddled software being approved. Greed can turn a blind eye to a lot.

    3. Re:We deserve what we get. by rwa2 · · Score: 2

      A Meitu spokesman actually replied to the ArsTechnica article on this:
      http://arstechnica.com/securit...

      Since they're a Chinese company, they have to collect their own user data since they don't have access to user data from the Apple / Google stores. So they likely have less info about you than most Western app devs.

      I installed Meitu on an Android 7.1 device yesterday. It only asks for device permissions as it needs them. I denied giving it access to my phone functions and the app works fine without that telemetry. But if you're really paranoid, go ahead and play with it in Andyroid or something.

  6. Damn copycats by Opportunist · · Score: 1

    Typically Chinese, they can't come up with anything themselves, all they can is copy our successful products!

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Regulation by Luthair · · Score: 1

    As has historically been shown companies will not behave in a reasonable manner unless forced to via regulation. We need to reset the bar in terms of the data that companies can collect and retain.

  8. Not so much for iOS by radish · · Score: 2

    It's worth pointing out that iOS doesn't allow apps to access the MAC, IMEI or any other persistent unique ID field (for just this reason). There is a unique ID field designed for apps to use for device identification but it is generated by the device on a per application basis, so it cannot be correlated with other apps. It also changes if you reinstall the app. Both of these facts make it fairly useless for nefarious purposes.

    --

    ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

    1. Re:Not so much for iOS by TheFakeTimCook · · Score: 1

      It's worth pointing out that iOS doesn't allow apps to access the MAC, IMEI or any other persistent unique ID field (for just this reason). There is a unique ID field designed for apps to use for device identification but it is generated by the device on a per application basis, so it cannot be correlated with other apps. It also changes if you reinstall the app. Both of these facts make it fairly useless for nefarious purposes.

      Good point!

  9. Re:Lying by ctilsie242 · · Score: 1

    xPrivacy used to do exactly that, but it (and the XPosed framework) seems not to have been updated in years.

  10. Well by DaMattster · · Score: 1

    I'm not a millennial so I'm behind the times when it comes to apps. I've never heard of this Chinese Communist selfie app but it doesn't take an app to do a selfie. You've got an Android or iPhone builtin app to do it for you. It even lets you easily share it to Facebook. Who the hell really needs an add-on selfie app?

    1. Re:Well by Lirodon · · Score: 2

      I'm not a millennial so I'm behind the times when it comes to apps. I've never heard of this Chinese Communist selfie app but it doesn't take an app to do a selfie. You've got an Android or iPhone builtin app to do it for you. It even lets you easily share it to Facebook. Who the hell really needs an add-on selfie app?

      because of filters and stickers and editing stuff

    2. Re:Well by TheFakeTimCook · · Score: 1

      I'm not a millennial so I'm behind the times when it comes to apps. I've never heard of this Chinese Communist selfie app but it doesn't take an app to do a selfie. You've got an Android or iPhone builtin app to do it for you. It even lets you easily share it to Facebook. Who the hell really needs an add-on selfie app?

      because of filters and stickers and editing stuff

      IOW, stuff that should only be of interest to anyone 12 years old and under, and then, only for about a week.

    3. Re:Well by squiggleslash · · Score: 1

      It does some interesting things to your (or Julian Assange's) selfies.

      --
      You are not alone. This is not normal. None of this is normal.
  11. Re:So, pretty much like everything else? by TheFakeTimCook · · Score: 1

    Get Little Snitch and watch as ** every ** app sends data to anywhere and everywhere. Adobe and Autodesk manage to try to talk to more than a dozen servers each. Some are needed for authorization (it is 2017 after all, can't just sell the software) and some are needed for who-the-hell-knows.

    Even good ol Apple itself wants to talk to your little un-PC.

    How is Apple responsible for what Adobe, AutoDesk, et al, do?

    And I notice that you are, of course, quite vague with regard to Apple's activities in this area, as you cannot actually cite verifiable examples, instead just disparaging them with a ridiculous, snarky little comment at the end.

  12. No surprises here by thunderclees · · Score: 1

    Should anyone be surprised about something like this?

    Certainly the PRC has realized that the various spook+corps around the globe pay for dirt

  13. Firewalling? by aglider · · Score: 1

    Why not firewalling that out? One could install a local firewall app (root likely required) to block all that traffic!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  14. All permissions is the default with Chinese apps by ukoda · · Score: 1

    When I lived on China I occasionally looked at installing Chinese apps, via Play Store, when mandatory for things such as banking. They typically demand app permissions for everything, including stuff that had no relevance to the purported application. I know from working with my team of developers in China they don't dig into options, if a solution works they move on to the next thing. If ticking 'All permissions' make the app work my team would chose that unless I told them to spend more time and work out what is really needed. Therefore when presented with a Chinese app that wants all permissions I was never sure if it was a lazy app developer or overreach of the company developing the app. I refused to install these apps unless it was absolutely critical to my needs, such as getting paid.

  15. What do you think ... by allo · · Score: 1

    ... why they are valued $5 billion?

  16. Why am I not surprised? by sentiblue · · Score: 1

    Phucking chinese .... from small cheese app developers to big corporations like Lenovo... they all steal personal data... yet they don't get banned from the US.