Meitu is one of Google Play's "Sand Hill" apps, part of the company's accelerator for apps with "viral potential" — take a pic of yourself and Meitu will make you over to look like an anime character, and all they ask in return is every salient fact about you that can be gleaned from your mobile device.
Meitu rolls in a bunch of off-the-self analytics tools that ask for a really wide variety of permissions that are not needed to provide the app's services: GPS location, cell carrier, wifi connection, SIM card ID, jailbreak status, and personal identifiers for cross-web tracking.
It's the modern successor to 2014's privacy invading flashlight apps, which marked the first time that the mainstream began paying attention to the privacy grabs in "free" apps.
To protect yourself, Android users should check the list of requested permissions before downloading an app, and can use the operating system's granular permissions options to control what each app can actually access. Users can also change their minds and revoke permissions they once approved. (Older versions of Android have a bit less flexibility, so update if you can.) In iOS it's harder to see in the App Store what permissions an app will require, but iOS also offers detailed controls in Settings, and actively prompts users the first time an app attempts to access something, like the microphone, to request opt-in permission.
It's no fun letting a meme pass you up because you're worried about privacy, but it's even worse to have your personal data taken for who knows what without you realizing it. Meitu may not be an outlier in the world of adware-bundled apps, but its popularity provides a useful teachable moment. Like a fantastical anime makeover, free apps often look snazzier on the surface than what's hiding underneath.
Meitu, a Viral Anime Makeover App, Has Major Privacy Red Flags [Lily Hay Newman/Wired]