In May 2022, a new profile picture app, officially named “NewProfilePic Picture Editor” in Apple Store and “NewProfilePic: Profile Picture” in Google Play Store, reached the top of mobile charts with hundreds of thousands of downloads. As people posted pictures of this new app, mobile software that uses artificial intelligence to create profile pictures that look like they’ve been painted on, messages started circulating on social media claiming that this app was some kind of Russian scam.
Does the new Profile Pic app steal data?
One person shared a screenshot of the requested app permissions and wrote: “DO NOT DOWNLOAD NEW PIC.COM PROFILE APP it takes all your info and sends it to Moscow!!!!!!!”
The permissions listed in the image above aren’t out of the ordinary, compared to what many popular mobile apps do. When we compared the content of this screenshot to that of other leading apps, such as TikTok, WhatsApp and Instagram, we found that asking users for permission to “receive data from the internet” and “to have full access to the network” is not unusual. People should definitely be aware that they are granting this level of access to companies when they download their apps. That said, New Profile Pic’s permissions aren’t anomalous.
Is the New Profile Pic app based in Russia?
New Profile Pic was created by a mobile development group called Informe Laboratories, Inc., and copyrighted by Linerock Investments LTD, as per Google and Apple app store listings. These companies are also behind the popular apps “Photo Lab Picture Editor & Art” and “ToonMe – cartoons from photos”, two apps that collectively have millions of reviews, the vast majority of which are five stars.
On the Google and Apple App Store, the developer’s location is listed as Tortola in the British Virgin Islands.
The claim that this app was connected to Russia or the Kremlin was based on screenshots that supposedly showed how the newprofilepic.com website was registered in Moscow.
When we searched this domain on May 11, our results showed that this website was registered in Florida. We contacted Linerock Investments for more information, and a spokesperson told us that previously the domain was indeed registered in Moscow because the company’s founder had lived there. However, the spokesperson said that person had moved, and so the company changed the address of the domain registration “to avoid confusion”.
The spokesperson said via email:
It is true that the domain was registered at the Moscow address. This is the former Moscow address of the company founder. He does not live in the Russian Federation at the moment. Now the address has been changed to avoid confusion.
This app comes from a company in the British Virgin Islands that uses an international team of developers, some of whom reside in Russia. The spokesperson said:
We are a BVI company. Our application is developed by an international team with development offices in Russia, Ukraine and Belarus.
The Daily Mail reported that this app was developed by a company “overlooking the Moscow River three miles from Red Square”, hinting at a connection between this app and the Kremlin. When we asked Linerock about this claim raised by The Daily Mail, the spokesperson told us that the outlet was referring to an address of lawyers who had registered the company in Moscow, not the company itself. The spokesperson said:
The address on the Moscow River is the address of the lawyers who registered the company. We never had an office there.
A blog post on Linerock’s website, pho.to, detailed a longer response to the rumours. The company explained that it uses Amazon AWS and Microsoft Azure, two servers located in the United States, and that no images or user data are sent to Moscow:
However, there is a downside to the app’s popularity. The UK’s Daily Mail today published an article alleging that NewProfilePic is likely to ‘scavenge your data and send it to Moscow’, all because the app ‘was developed by a technology company based in Moscow”. 🙈
Again, we can’t help but remember the look-alike of ‘Bangladesh history’. All we can do is patiently explain that all of our apps (including NewProfilePic) are NOT a threat. We are a BVI company with development offices in Russia, Ukraine and Belarus. However, your photos (or any other data) are NOT sent to Moscow. All of our applications are server-based and user images are uploaded to Amazon AWS / Microsoft Azure servers located in the United States. This is necessary to apply all those fancy effects generated by AI technologies.
Does this app steal money?
Another popular social media rumor claimed that people withdrew money from their bank account shortly after downloading this app. This is an example:
We have not been able to confirm or deny that this actually happened. Additionally, many of the details surrounding these claims are unknown. (Was it a subscription? Was the money refunded? Did the user provide credit card information to the app?)
We’ve reached out to Google, Apple, and the user who posted the message shown above, and we’ll update this article if more information becomes available. A spokesperson for the app told us that while the screenshots showing the charges may be real, they weren’t from the New Profile Pic app because the app, at the time of this writing, is “absolutely free and contains no in-app purchases, so it does not require any payment information from users.
Since this article was published, the app has added in-app purchases.
The spokesperson said app stores are full of apps with the same name, some of which offer subscriptions or in-app purchases. It’s possible, the spokesperson suggested, that users accidentally used one of these similar apps and the service charged for them. The spokesperson told Snopes:
Since all photos shared on social media have our #NewProfilePic logo, people use the App Store search to find the app. If you check the search results, you will see other apps with quite similar titles. And some of them have in-app purchases. It is misleading and some users download multiple apps to get the effect and in some cases they can activate the trial through the paywall. They simply delete the app afterwards (which doesn’t stop the subscription) and are charged once the trial is over. So currently the charges are not triggered by our apps, but by competitors.
Is the new profile picture app safe to use?
In sum, the claim that this application is unusually invasive is false. Its requested app permissions are similar to those of other mainstream apps. The claim that this app steals data for the Kremlin is also not supported by evidence. This app was developed by a company in the British Virgin Islands that uses a team of international developers, some of whom live in Russia. Finally, the claim that users of this app had money withdrawn from their bank accounts is, so far, unsubstantiated.
It is also worth remembering that this app is not from a new company and New Profile Pic is not their first app. ToonMe and PhotoLab, two of the developer’s other apps, have over 150 million installs on Google Play. Both of these apps have been around for years, and we’re not aware of any reports that they’ve been used to steal money from people’s bank accounts or provide user data to the Kremlin.
A spokesperson for the app told us, “The NewProfilePic app does not store user accounts or any personal data. …This app is safe for people to use.
Although there is nothing unusual about this app, Joseph Steinberg, a cybersecurity expert, said that people should always be careful about the apps they download on their phones, especially when these applications come from different countries.
Steinberg told WFMY News 2:
“All of a sudden, when the company is based in Moscow, it’s oh my God, it’s Moscow and the company is collecting my data. The real problem is that they don’t ask about the other 30 apps on their phone that do the same thing. […] The reality is that if you look at the fine print of this app, it collects less data than many other apps. I think Facebook has a lot more information than TikTok. But the reality is if this app or TikTok or any other app from a foreign country, you don’t know how they are going to share the data.