BENGALURU: In the wake of the rising Ghibli-style photo trend — Japanese-style animated portraits, cybercrime police officials warn that these platforms have potential to collect and steal personal data and sending it to unknown third-party servers.

These AI-based platforms request access to more than just the camera — including microphone, contact list, photo gallery, and even permission to run in the background. Some may go further, with embedded code that tracks how users type.

Police said, the combination of personal inputs and wide-ranging permissions, especially on apps hosted outside India with unknown privacy terms, makes users vulnerable to profiling, targeted scams, and long-term data misuse.

Vineet Kumar, Founder and Global President of CyberPeace, said, the rising trend is not just about AI taking over artists but also the misuse of the technology, creation of unauthorised content, deepfakes, and copyright violations. There is also the risk of AI misinterpreting prompts, which can result in inappropriate images, he said. A senior police official explained to TNIE that once a user grants access and uploads a photo, the app starts pulling data linked to the device.

The uploaded image can be stored indefinitely and used to train even other AI models without user’s consent. “In some cases, facial features can be extracted to create digital identities and deepfakes. Apps that request access to contacts or microphones run silent background activity — all without the user’s knowledge,” the officer said, adding that these apps don’t always perform the function they promise — they are often just a front to collect personal information.

“While the interface may appear harmless, these platforms use deceptive code and permissions to bypass phone security, making it easy for attackers to build detailed user profiles for fraud or surveillance,” the official added.

Following the trend, there is an increase in AI apps and websites. Some of them even contain keyboard fingerprinting — code that tracks how a person types, including speed and typing errors. This can be used to crack passwords or mimic login behaviour and also plant tracking cookies or malicious code that continues to operate even after the app is deleted.

In some cases, photos uploaded are cross-referenced with publicly available databases to link one’s image with their social media or digital footprint, which can then be sold to data brokers or used for targeted fraud, the officer said.