News

Is 'New Profile Pic' App a Russian Malware Scam?

There's little evidence to suggest that this app is any more invasive in its collection of user data than other apps.

Published May 11, 2022

Updated May 13, 2022
 (Google Play)
Image Via Google Play

In May 2022, a new profile pic app, officially named "NewProfilePic Picture Editor" in the Apple Store and "NewProfilePic: Profile Picture" in the Google Play store, shot to the top of mobile charts with hundreds of thousands of downloads. As people posted photos from this new app, a piece of mobile software that uses artificial intelligence to create profile pics that look as if they had been painted, messages started circulating on social media claiming that this app was some sort of Russian malware scam.

Some social media users claimed the app was stealing data in a criminal fashion. Others claimed it was based in Russia and connected to the Kremlin. Another rumor accused the app of being malware and taking money out of people's accounts. We looked into each of these claims and found that they were largely without merit or unsubstantiated. While this app does collect some user data, its privacy policy isn't out of the ordinary.

Is the New Profile Pic App Stealing Data?

People are often surprised to learn just how much personal data mobile apps are allowed to access. When claims started circulating that the New Profile Pic app was some sort of scam, many people shared screenshots of the app's privacy policy.

One person shared a screenshot of the requested app permissions and wrote: "DO NOT download the NEW PROFILE PIC.COM APP it takes all your information and sends it to Moscow!!!!!!!"

Text, Menu

The permissions listed in the above-displayed image aren't out of the ordinary, in terms of what many popular mobile apps do. When we compared the contents of this screenshot to that of other top apps, such as TikTok, WhatsApp, and Instagram, we found that requesting users' permission to "receive data from internet" and "have full network access" isn't unusual. People should certainly be aware that they are granting this amount of access to companies when they download their apps. That said, New Profile Pic's permissions aren't abnormal.

Is New Profile Pic app Based in Russia?

New Profile Pic was created by a mobile development group called Informe Laboratories, Inc., and copyrighted by Linerock Investments LTD, according to the listings in Google's and Apple's app stores. These companies are also behind the popular apps "Photo Lab Picture Editor & Art" and "ToonMe - cartoons from photos," two apps that collectively have millions of reviews, the vast majority of which are five stars.

On both Google's and Apple's app store, the developer's location is listed as being Tortola in the British Virgin Islands.

The claim that this app was connected to Russia or the Kremlin was based on screenshots that supposedly showed how the website newprofilepic.com had been registered in Moscow.

When we looked up this domain on May 11, our results showed that this website was registered in Florida. We reached out to Linerock Investments for more information, and a spokesperson told us that, previously, the domain was indeed registered in Moscow because the company's founder had lived there. However, the spokesperson said that that person had relocated, and so the company changed the address of the domain registration "to avoid any confusion."

The spokesperson said via email:

It is true that the domain was registered to the Moscow address. It is the former Moscow address of the founder of the company. He does not live in the Russian Federation at the moment. By now the address has been changed in order to avoid any confusion.

This app comes from a company in the British Virgin Islands that uses an international team of developers, some of whom reside in Russia. The spokesperson said:

We are a BVI company. Our app is being developed by an international team with development offices in Russia, Ukraine and Belarus.

The Daily Mail reported that this app was developed by a company "overlooking the Moscow River three miles from Red Square," insinuating a connection between this app and the Kremlin. When we asked the Linerock about this assertion raised by The Daily Mail, the spokesperson told us that the media outlet was referring to an address of lawyers who had registered the company in Moscow, not of the company itself. The spokesperson said:

The address on Moscow River is the address of lawyers who registered the company. We have never had an office there.

A blog post on Linerock's website pho.to detailed a longer response to the rumors. The company explained that they use Amazon AWS and Microsoft Azure, two servers located in the U.S., and that no user images or data are sent to Moscow:

However, there’s a flip side to the app’s popularity. The UK’s Daily Mail posted an article today alleging that NewProfilePic is likely to ‘hoover up your data and send it to Moscow’ – all because the app ‘has been developed by a tech company based in Moscow’. ?

Again, we can’t help remembering the lookalike ‘Bangladesh story’. All we can do is explain patiently that all our apps (including NewProfilePic) are NOT a threat. We are a BVI company with development offices in Russia, Ukraine, and Belarus. Nevertheless, your photos (or any other data) are NOT sent to Moscow. All our apps are server-based and user images are uploaded to Amazon AWS / Microsoft Azure servers located in the US. This is necessary in order to apply all those fancy effects driven by AI technologies.

Is This App Stealing Money?

Another popular social media rumor claimed that people had money taken out of their bank accounts shortly after downloading this app. This is one example:

We have not been able to confirm or disprove that this actually happened. Furthermore, many details surrounding such claims are unknown. (Was this charge for a subscription? Was the money refunded? Did the user provide credit card information to the app?)

We reached out to Google, Apple, and the user who posted the above-displayed message, and we will update this article if more information becomes available. A spokesperson for the app told us that while the screenshots showing charges may be real, they didn't come from the New Profile Pic App as the app, as of this writing, is "absolutely free and it does not contain in-app purchases so it does not require any payment information of the users."

Since publication of this article the app has added in-app purchases.

The spokesperson said the app stores are crowded with similarly named apps, some of which feature subscriptions or in-app purchases. It's possible, the spokesperson suggested, that users may have accidentally used one of these look-a-like apps, and that that service might have charged them. The spokesperson told Snopes:

Since all the pictures shared on the social networks bear our #NewProfilePic logo, people use app store search to find the app. If you will check the search results you will see other apps with pretty similar titles. And some of them have in-app purchases. It is misleading and some users download several apps to get the effect and in some they may activate the trial via the paywall. They simply remove the app afterwards (which does not stop the subscription) and get charged after the trial is over. So currently the charges are not triggered by our apps, but by the competitors.

Is New Profile Pic App Safe To Use?

In sum, the claim that this app is unusually invasive is untrue. Its requested app permissions are similar to other mainstream apps. The claim that this app is stealing data for the Kremlin is also unsupported by evidence. This app was developed by a company in the British Virgin Islands that uses a team of international developers, some of whom live in Russia. Lastly, the claim that users of this app had money taken out of their bank accounts is, so far, unsubstantiated.

While this app requests permission to access certain data on your phone, these requests aren't unusual. You can read more about the company's privacy policy on its website.

It is also worth reiterating that this app didn't come from a new company, and New Profile Pic isn't their first app. ToonMe and PhotoLab, two of the developer's other apps, have more than 150 million installs on Google Play. Both of those apps have been around for years, and we are unaware of any reports that they have been used to steal money from people's bank accounts, or to give users' data to the Kremlin.

A spokesperson for the app told us: "The NewProfilePic app does not store users' accounts or any personal data. ...This app is safe for people to use it."

While there isn't anything unusual about this app, Joseph Steinberg, a cyber security expert, said that people still needed to be cautious about what apps they download to their phones, especially when those apps come from different countries.

Steinberg told WFMY News 2:

“All of a sudden when the company is based in Moscow, it’s oh my God it is Moscow and the company is collecting my data. The real problem is they're not asking about the other 30 apps on their phone that are doing the same thing […] The reality is, if you look at the fine print of this app, it's collecting less data than many other apps. I think Facebook has a lot more info than TikTok does. But the reality is, if this app or TikTok or any other app from a foreign country, you don't know how they're going to share the data."

Updates

Updated [May 13, 2022]: Added statement from cybersecurity expert.

Updated [May 13, 2022]: Updated to note that the app has since added in-app purchases.

Dan Evon is a former writer for Snopes.