Blog

Careful What You Wish For: The NewProfilePic App

by | May 13, 2022 | Blog, Research

The Potential Risks of Using the Newprofilepic Application

Social media users have been abuzz about the ability to create a portrait-like image using the Newprofilepic app. “It really brings out the best in you!” they say.

Then, one day, the buzz takes a turn – “You haven’t heard? The Newprofilepic app is Russian, it may pose a threat to users’ privacy and cyber security. It sends all of your data back to Russia, I saw it in The Daily Mail!”

Do you freak out? Do you bury your head in the sand? Do you reset all of your passwords, fire your staff, burn your tax records, and set up a new shell company in Madagascar (which, I hear, is beautiful this time of year)?

VicMan Software website, looks like something out of the late 1990s…

Besides the potential risk of user data retention on servers in Russia, there are also concerns about the real-time collection and monitoring of user data.

When users create a new profile picture using the Newprofilepic app owned by Linerock Investments (pho.to), their personal information may be captured and stored by the company.

Potential Risk 2: Lack of Transparency and Accountability

The company’s About page says the “​​company was established in 2001 by Victor Sazhin…as a hobby business…[that] has developed several unique technologies for digital imaging.” It mentions it was restructured in 2005 in order to bring products to market. It is headquartered in Moscow, Russia and Alexandria, VA.

A search on Open Corporates [opencorporates[.]com] for Vicman Software reveals a company that was incorporated in Virginia on 21 October 2005 and was dissolved on 1 March 2022.

Sazhin is listed as an officer, along with Dmitri Dubograev and Yuri Bakay. Sazhin is also listed as an officer at a company registered as Filipark Estates, Inc. in Florida, presumably a residential property company.

Bakay is the founder of Mindcruncher, LLC located in Fairfax, VA, a company that helps Russian “companies to enter [the] American market successfully.” [source: https://mindcruncher[.]com]

Dubograev is a lawyer who runs a femida[.]us, a law firm headquartered at the Alexandria, VA address listed in the registration for Vicman Software. The firm has “unique experience addressing legal issues arising from commercializing and marketing of innovative technologies and hi-tech products developed in the former Soviet Union.” [source: https://femida[.]us/about]

Presumably, Sazhin sold his company, or received investment and restructured in March 2022.

This lack of transparency and unclear ownership structure can be a potential cyber threat, as it may provide opportunities for threat actors to exploit vulnerabilities and share sensitive information.

Potential Risk 3: Connections to Suspicious Company Names

Does he still work there?
On February 20, 2022, four days prior to the start of the conflict between Russia and Ukraine, he posted the following:

Victor Sazhin Post on Facebook

[source: https://www.facebook[.]com/photo?fbid=10158745406390488&set=a.10153356273360488]

Sazhin indicates in this post that he lives in Moscow, and he mentions his company’s name, Photo Lab. A search through publicly available Russian corporate records reveals Victor Victorovich Sazhin has three currently operating companies: Vikman Development LLC, Informer Development LLC, and Photolab Development, LLC, all in the Moscow region.

Presumably, Vikman Development is related to the original company and Photolab is the successor company. No further information was immediately available on Informer Development, LLC, though the name seems rather suspicious. Research into the contracts any of these companies might have with the Russian government or government controlled entities may be telling.

Assuming there are no contracts with the Russian government. What then? Photo Lab’s representative insists that no user data is retained. This should be good enough, right?

Mr. Sazhin’s lawyer Dmitriy Dubograev explains this beautifully:

[In Russia,] contracts are needed for the most part to cover your back and show them to state and tax authorities. The state stands as the enemy, against whom these companies try to defend themselves with paperwork.

In the U.S., your rights are just what you could secure to yourself in the course of contract negotiation. It is not the state that will impinge upon your rights.

[source: https://www.dw[.]com/en/russia-tightens-internet-controls-makes-it-easier-to-spy-on-citizens-critics-say/a-18690498]

In 2015, the Russian government enacted a requirement that all Russian companies store the data of Russian citizens on servers in Russia.

[source: https://www.sciencedirect[.]com/science/article/abs/pii/S0267364917303369#:~:text=According%20to%20the%20Russian%20legislation,data%20have%20to%20be%20stored.]

Most companies do not partition their user data by country of origin, as that would be cost-prohibitive. Beginning in 2018, the Russian government has required all internet services to retain user data for at least a year.

[source: https://www.sciencedirect[.]com/science/article/abs/pii/S0267364917303369#:~:text=According%20to%20the%20Russian%20legislation,data%20have%20to%20be%20stored.]

After analyzing the Newprofilepic application, we found out that there is a high possibility that user data is being kept for one year on servers located in Russia.

The concerning aspect is that one of the companies linked with Victor Sazhin may have signed deals with the government, allowing them to sell this data. However, it is crucial to investigate further before making any conclusions.

Therefore, before using any new application, it’s important to research thoroughly and take necessary precautions to protect your personal information. Don’t fall prey to harmful practices that put your privacy and security at risk. Always be vigilant and informed, and make sure to share what you learn with your friends and family.

A good threat intelligence team tries to understand the human and the technical aspects of a perceived threat and how it affects you and your bottom line and reputation.

It’s hard, but the result is rewarding. Snopes provides a valuable service but like many organizations, they don’t have deep research and analysis capabilities.

Stick with them for the chicken nuggets, celebrities, and tweets, but when in depth analysis is required, it’s best to rely on skilled intelligence analysts.

About Nisos®

Nisos is The Managed Intelligence Company®. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.