The first smartphone with agentic AI has arrived — and it brought a massive problem
The Doubao Phone emerged as the first smartphone on the planet to integrate an AI agent directly into the operating system, and since its launch in China in December 2025, the device has been sparking intense debates across the global tech market. Born from a partnership between ByteDance and ZTE — also known as the Nubia M153 — the device proposes something that felt like science fiction not long ago: an intelligent assistant that operates autonomously, capable of booking restaurants, purchasing tickets, scheduling appointments, and even making payments without the user needing to jump between multiple apps. The idea is to eliminate that friction of toggling between apps to complete simple everyday tasks, something anyone who uses a smartphone knows all too well.
But all that convenience came with a controversy nobody expected — or rather, one that maybe everyone should have seen coming. Within days of the launch, some of China’s biggest apps, including WeChat, Alipay, and Taobao, flat-out blocked the Doubao Phone from functioning on their platforms. The reason is as fascinating as it is alarming: the artificial intelligence agent embedded in the device has full access to the screen, can read the content of every installed app, and interacts with them as if it were the phone’s actual owner. Critics went as far as calling the agent a true digital burglar with the fingertips of a god — a nod to its ability to tap and click on anything on the screen with no distinction between human and automated actions.
For banks and payment platforms, it became nearly impossible to tell whether the person making a transaction was the real user or the AI acting on their behalf. WeChat, the most essential superapp in Chinese digital life — which functions as a combination of WhatsApp, Facebook, Uber, Amazon, and a banking app all in one interface — activated its high-risk security controls and cut off access for the Doubao Phone. The decision put two of China’s biggest internet powerhouses, Tencent and ByteDance, on a direct collision course.
The situation escalated even further when a video went viral on Little RedNote — a Chinese platform similar to Instagram — showing a user’s bank balance exposed not only on their own Doubao Phone, but mirrored on other devices where the Doubao AI account was also logged in. More videos spread across the platform, with users experimenting and discovering that private financial data like card balances, pending bills, digital RMB wallets, and wealth management accounts were just as easily accessible. This raised extremely serious questions: was the Doubao Phone sending personal data to ByteDance’s cloud to train its AI? What were the boundaries between on-device data and cloud data? And what happened to third-party information that simply existed in shared conversations or files?
The case quickly went from being just a tech curiosity to a nationwide debate about data security and privacy in the era of agentic artificial intelligence, with implications that reverberate far beyond China’s borders.
Understanding agentic AI and why it’s different from everything that came before
To grasp the severity of what happened with the Doubao Phone, you need to understand how this type of AI agent works in practice — and why it’s fundamentally different from any virtual assistant you’ve ever used. Agentic AI systems complete tasks with little human oversight. They operate proactively, across different environments, and make many decisions autonomously before needing any intervention. According to Professor Chen Tianhao of Tsinghua University, AI agents directly modify the real-world environment rather than being passive tools. As Caiwei Chen described in MIT Technology Review, it’s like having a highly intelligent and efficient intern who completes workflows that traditionally required human labor and reasoning. In China, an AI agent is sometimes called daili (代理, proxy) or zìzhǔ zhìnéngtǐ (自主智能体, autonomous actor).
Unlike traditional virtual assistants like Siri or Google Assistant, which basically answer questions and execute simple, isolated commands, an agentic AI agent operates with real autonomy. It observes everything happening on the screen, reads text, interprets images, navigates menus, and makes chained decisions to complete complex tasks. Agentic AI typically functions as a layer above traditional large language models (LLMs) like ChatGPT or DeepSeek. While a chatbot responds to individual prompts, AI agents are executors. They receive a command, break it into smaller tasks, and complete entire workflows.
In practice, asking an AI agent to plan a weekend of great theater and cheap food in Beijing wouldn’t result in an itinerary or a list of options with pros and cons, as a chatbot would deliver. Instead, the agent would act like an actual executive assistant: it would book tables at the best restaurants, purchase theater tickets, and hand over receipts, tickets, calendar appointments, and commute maps. In China, that would mean buying tickets through Maoyan or Damai, making dinner reservations through Meituan or Dianping, and processing everything through Alipay’s automated payment systems. In the United States, a similar process would involve platforms like Ticketmaster, OpenTable, Apple Pay, or Google Wallet.
To work properly, this kind of agent needs extremely broad permissions — access to the screen, app data, login credentials, and even payment interfaces. That level of access is precisely what enables the magic, but it’s also what creates an unprecedented vulnerability in the mobile ecosystem.
Why data security became agentic AI’s Achilles heel
The core problem that major Chinese platforms identified lies in the authentication and trust layer. When Alipay processes a financial transaction, it operates on the assumption that there’s a human being on the other side of the screen validating that action — whether through facial biometrics, fingerprint, or password. With the Doubao Phone’s AI agent operating autonomously, that premise completely falls apart.
Receive the best innovation content in your email.
All the news, tips, trends, and resources you're looking for, delivered to your inbox.
By subscribing to the newsletter, you agree to receive communications from Método Viral. We are committed to always protecting and respecting your privacy.
The Doubao Phone uses a system-level permission called INJECT_EVENTS, which reads and interprets the screen and clicks buttons in ways indistinguishable from a human user. This is only possible because of ByteDance’s partnership with manufacturer ZTE — the agent comes fused directly into the operating system, not as a regular app you download from a store. For comparison, the Samsung Galaxy S26, which Chinese media dubbed the international version of the Doubao Phone, uses a hybrid approach: it primarily relies on API access granted by the 200 largest apps in the app store, with a backup framework that simulates human interaction. The difference in depth of access is enormous.
As researcher Boyuan Wang explained, the Doubao Phone’s agent doesn’t ask apps for cooperation. It simply navigates their interfaces as if it were the person holding the device. The artificial intelligence can simulate screen taps, fill in password fields, and confirm transactions without any human intervention at the moment of execution. For a financial institution, this is the equivalent of having an unauthorized third party operating a customer’s account, even if that third party is software the customer voluntarily activated.
There is currently no industry standard that defines how platforms should authenticate actions performed by AI agents on behalf of human users, and this regulatory gap is what turned the Doubao Phone launch into a minefield.
As for what happens with data after use, an industry expert explained to Southern Metropolis Daily that information is sent to the cloud and processed by the model for inference, but is not stored. Data from new tasks overwrites previous content. The user needs to manually enable the phone’s global memory function — which comes turned off by default — for the Doubao agent to remember personal preferences, like enjoying iced coffee with no sugar. When a task requiring planning and reasoning is assigned, screenshots from each step are uploaded to the cloud for processing, but they are not stored on the server or used for model training. Still, the lack of independent audits only fueled growing distrust.
Fragmentation: the problem only China has (but that affects everyone)
Beyond security concerns, the Doubao Phone case laid bare a structural challenge that makes life especially difficult for agentic AI in China: the fragmentation of the mobile ecosystem. And this problem shows up in two distinct ways.
Superapp fragmentation
The first is superapp fragmentation. China has apps that do everything — called superapps. WeChat and Alipay combine the functions of Facebook, WhatsApp, Amazon, Uber, Google Maps, an app store, and a banking app into a single interface. Meituan, Douyin, and Taobao are also expanding their offerings. Each superapp functions almost like its own operating system, with developers building exclusively for that ecosystem. And like Apple and Windows, WeChat and Alipay are walled gardens. Designed to lock in user traffic and interactions, they tend not to share data or offer services that connect externally.
What this means for AI agents is that when they try to access the content of a WeChat message discussing dinner plans, the task simply fails because the agent has no ability to read and act on information inside the app’s walled garden. That’s exactly why WeChat’s block of the Doubao Phone was such a significant event.
Device fragmentation
The second form of fragmentation is device-related. Around the world, Android phones have a layer of apps and services called Google Mobile Services (GMS) running on top of the Android operating system. That’s why Samsung, Google, or Motorola phones all share Gmail, Chrome, Google Maps, and the Google Play Store. But China blocks Google. So Chinese Android smartphone manufacturers developed GMS equivalents that run on top of open-source Android. Chinese users switching from one Android phone brand to another also need to switch app stores, cloud services, virtual assistants, push notifications, and various other services. To make things even more complicated, Huawei manufactures and sells its phones with a proprietary operating system, HarmonyOS, with its own services.
Both types of fragmentation are enemies of interoperability and, consequently, of agentic AI. Chinese agentic AI will only advance if it overcomes these barriers — which is exactly what the Doubao Phone is trying to do. It’s no surprise, then, that its launch caused a storm. And in the long run, any company that can overcome these barriers in China will be able to deliver more useful and powerful AI.
The regulatory race and the battle over standards
The regulatory landscape in China is in full upheaval. There’s a multi-front battle to determine who will set the rules for agentic AI. On one side, the internet platforms that control the superapps. On the other, AI agent companies, device manufacturers, and state-owned telecom enterprises that also operate as cloud providers. The winners will shape the rules for data access, security authentication, and much more.
The situation is evolving quickly, sometimes in opposite directions. Weeks before the Doubao Phone controversy, WeChat users reported that Tencent may have blocked Huawei’s AI agent, called Xiaoyi or Celia, from initiating calls. At the same time, some superapps are taking steps to offer greater access to agents. Alipay launched a super portal called Zhixiabao that allows AI agents to access features like food delivery and financial services within its mini-programs, promoting it to Android and iOS users as an AI Life Manager.
There’s also a separate battle between state-owned telecom companies — like China Mobile and China Telecom — and private internet and cloud platforms like Alibaba Cloud and Tencent Cloud. In China, telecom companies function as state-owned cloud providers — think of Amazon Web Services with its own cell towers. The types of data each player holds are different: telecoms have location data, call patterns, and network behavior, while platforms collect user preferences, social demographics, and financial transactions.
On the technical standards front, China and the United States are both developing protocols to enable AI agents to work across digital systems. Many developers in both countries use the Model Context Protocol (MCP), introduced by Anthropic in November 2024. This kind of invisible infrastructure enables interoperability, as Matt Steinberg and Prem M. Trivedi explain, functioning like a USB-C port that works as a universal plug. In China, Gaode Map and Feishu have already integrated MCP. But Meituan, for example, hasn’t opened up to third-party apps and doesn’t support the protocol — making scenarios like automated trip booking much harder.
Privacy, consent, and the paradox that agentic AI amplifies
Chinese digital law scholars are questioning whether advances in agentic AI demand a fundamental reassessment of the core concepts in China’s data protection framework — which was modeled after the European Union’s GDPR, sometimes called GDPR with Chinese characteristics. Concepts like consent, purpose limitation, and data minimization can be subverted by AI agents that alter users’ relationships with their personal information.
As Chen Tianhao of Tsinghua University warned, the AI agent embedded in the operating system has amplified the privacy paradox in the AI era, where users seeking convenience unknowingly consolidate information originally scattered across multiple apps into the hands of a single system-level intelligent agent. Wang Yuan, a data law scholar, goes further and argues that data generation has blurred the boundaries between data collection and data processing, rendering many privacy protection laws ineffective.
Wang recommends creating a dynamic and participatory type of consent to reflect the constantly changing nature of data used by AI agents, but acknowledges that a flood of pop-up boxes interferes with the user experience and becomes ineffective. Alternatives include allowing users to customize dynamic consent settings, privacy by design, automatic data deletion after set periods, and more robust anonymization.
The accessibility hack
Another concerning angle revealed by Chinese researchers involves smartphone accessibility services. For AI agents to function on phones, apps need to let them in. Since many developers hesitate to grant that access — fearing loss of data, traffic, and ad revenue — AI agents can exploit accessibility services, originally designed to help people with disabilities use their phones hands-free.
A study by the Nanfang Compliance Technology Research Institute found that AI agents on smartphones were enabling accessibility permissions to access all private screen content and perform operations without notifying users. The assistants could see bank card passwords and conversation logs, as well as tap, long-press, and swipe the screen. Researchers evaluated six smartphones running AI agents and found the situation was quite chaotic — some devices disabled accessibility after completing a task, while others left it active indefinitely.
Zhu Yue, from Tongji University’s School of Law, notes that LLMs have already benefited from access to large volumes of videos, images, and text annotations provided by accessibility services. He wrote that these issues are a neglected area of AI law: simply by crawling multimedia content and their corresponding descriptions, AI enjoys a free lunch 🍽️.
What the Doubao Phone case means for the future of AI
The episode involving the Doubao Phone isn’t just a fight between Chinese tech giants battling over data control and user access. It functions as a living laboratory for the tensions that will define how artificial intelligence integrates into people’s daily lives in the coming years. And the relevance extends well beyond China: shortly before the Doubao Phone controversy, the Western world had its own version of the debate with the emergence of OpenClaw, a powerful open-source AI agent, and Moltbook, a social network created exclusively for AI agents. Security experts in the United States called the combination of risks a lethal triad.
Meredith Whittaker, president of Signal, warned during the SXSW conference that agentic AI threatens to break the blood-brain barrier between the application layer and the operating system layer by uniting all these separate services and mixing their data. Nate Jones, an AI strategist, added: we spent 20 years building security boundaries around our operating systems, but agents require destroying that by the very nature of what an agent is — it needs to read your files, access your credentials. The value proposition requires poking holes in every boundary that security teams spent decades building.
This discussion about interoperability and agentic AI governance will likely dominate the tech regulatory agenda in 2026, not just in China, but in markets like the European Union, the United States, and Brazil, which already have data protection legal frameworks in place or under development.
Possible paths forward and recommendations already circulating
In the wake of the controversy, recommendations for new rules are already circulating as Chinese regulators assess both the commercial dispute between platforms and the concerns raised by everyday citizens. Chen, from Tsinghua, recommends establishing standards — potentially mandatory regulations beyond industry guidelines — where Doubao would detect higher-risk actions and automatically suspend AI control to hand the decision back to the user. A Chinese fintech industry alliance has already published preliminary recommendations for financial applications of agentic AI, including guidelines on data processing and case studies on how financial institutions are building and integrating AI agents.
Another recommendation is to require on-device processing for particularly sensitive information, such as conversation log content and photo albums, rather than sending it to the cloud. Specific scenarios could be classified by risk level, similar to how Chinese cross-border data transfer regulations already assign different risk levels to different types of data.
Others are proposing to view agentic AI through an antitrust lens. China’s Anti-Monopoly Law prohibits certain types of data acquisition, known as traffic hijacking. AI agents could be regulated as digital gatekeepers — for example, preventing Doubao AI from steering users toward Douyin e-commerce, also owned by ByteDance.
ByteDance is already exploring partnerships with Lenovo, Vivo, and other device manufacturers, and may target international markets for its AI-powered phones. Industry experts believe that once the technology is better understood, China will publish new standards and rules. The implications will be far-reaching.
The truth is that the technology arrived before the regulation, and now the market is scrambling to fill that vacuum. The case leaves a clear lesson for the entire industry: innovation without robust data governance isn’t progress, it’s poorly calculated risk 🚨. The next chapter in the story of AI isn’t just about chips or a single app. It’s about data access, traffic control, and permissions for agents to work seamlessly across fragmented landscapes of devices and services. The smartphone of the future might very well be able to do everything for you — but before that happens, someone needs to make sure it won’t do everything in spite of you.
