Like most Android phone manufacturers, Alcatel has uploaded many of its phones' apps to the Play Store. This allows the company to update various system apps without sending out a full Android upgrade. Some time in mid-November, Alcatel's gallery app received such an update - a very bad update, if reviews from owners of Alcatel phones are any indicator.
The app was formerly known simply as "Gallery," and was published to the Play Store by "mie-alcatel.support" (one of Alcatel's developer names on the Play Store). The latest version of Gallery on APKMirror is from July of last year, and it's pretty basic. The only permission this version of the app asks for is file access.
The new version is quite a bit different. The Play Store listing is now called "Candy Gallery -Photo Edit,Video Editor,Pic Collage." The page now lists 'Hi Art Studio' as the developer, with its only other app being "Candy Selfie Camera." The new app asks for every single permission, including Device ID information, SMS access, Wi-Fi connection info, and much more. Sketchy is an understatement.
So what happened? We've reached out to Alcatel, and so far have not received a response. Therefore, we can only speculate. What we do know is that the cryptographic key on Candy Gallery matches Alcatel's old Gallery app, so one of three scenarios is likely.
First, Alcatel could have sold the app and signing key to 'Hi Art Gallery,' which would be very bad, as several other Alcatel apps use that key. Second, Alcatel could have sold the app listing, but still signs every release itself - this is less bad, but still pretty insulting to users. Third, the key could have been stolen, and 'Hi Art Gallery' created the listing.
The third option seems the least likely to us, given the app has been in this state for over two months now. Alcatel has doubtless received customer support complaints about the update, as the listing is littered with 1-star reviews. Such a breach of security would be extremely embarrassing for the company - the sort of thing they'd want to fix quickly. So while we can't rule out that scenario, we're leaning more toward "Alcatel sold out its users" than "Alcatel's app signing key was stolen and they didn't notice for two months."
At the time of writing, Candy Gallery has an average rating of 3.5 stars on the Play Store. Many recent reviews complain that the app doesn't load properly and shows advertisements. If you have an Alcatel phone with this app, you should try to disable it. Assuming you use the default launcher, hold down on the app from the homescreen, drag it to 'App info,' and click the Disable button. Then install another gallery app to replace it, like Google Photos or Focus.