Earlier this year, users of the popular gay hookup and dating app Grindr started seeing a sharp increase in the number of attractive men saying hello to them.
Some of the most provocative profiles on Grindr aren’t men at all, but spambots designed to lure credulous users into turning over their credit-card information.
The links all point to questionable webcam sites with names like My Passion Pit, My Gay Cam Crush and Gay Slice Crush.
After dropping a link to those sites in a Grindr chat, the spambot ceases responding, except to ask why you haven’t joined him yet.
Users could be forgiven for assuming spambots wouldn’t be an issue in Grindr.
The location-based app shows users only the hundred or so other users closest to them, theoretically making it difficult for spammers to target users outside their immediate vicinity.
But the Grindr spambots manage to contact users from 6,000 to 7,000 miles away from the United States.
They also figured out a way to circumvent Grindr’s blocking technology, hounding users with an additional invitation to join the webcam chat even after the user blocked the bot.
(A bug fix in April appears to have ended that particular problem, at least for now.) Tim Strazzere, lead research and response engineer at Lookout Mobile Security, speculates that spammers are able to spoof their location by opening Grindr in an Android emulator and searching for users in target-rich environments like New York and San Francisco.
By not requiring email addresses or passwords, Grindr makes it easy for spammers to open up unlimited instances of Grindr on their computers and not worry their activity will be traced back to them.