This Valentine’s Day, think twice—you may be downloading a malicious dating app.

Nothing gives singles a painful reminder of their loneliness quite like Valentine’s Day. The approach of February 14th causes a recurring seasonal spike in the availability and downloads of legitimate, illegitimate, and malicious mobile apps related to romance and dating. According to marketing data intelligence firm AppAnnie, dating apps currently comprise 14 of the top-25 grossing lifestyle apps and two of the top-25 grossing overall apps.

Unfortunately, this predictably frenetic February dating app activity plays right into the hands of cyber threat groups and individuals looking to take advantage of heartache-induced lapses of judgment. These threat actors will leverage popular keywords and branding of well-known dating apps to trick people into downloading their fake and malicious apps, which can steal sensitive information, redirect traffic to malicious pages, and infect devices with malware.

To combat this problem, RiskIQ applies its crawling platform to monitor 120+ mobile application stores and the nearly 2 billion resources we scan daily to look for mobile apps in the wild. With this proactive store-first scanning mentality, we observe and categorize the threat landscape as a user visiting app stores and downloading applications would. Every app we encounter is downloaded, detonated, analyzed, and stored to build a repository of over 14,000,000 mobile apps.

For our 2017 Valentine’s Day dating app research, we queried this data repository to find apps utilizing the names of seven of the most popular dating apps in the United States:

• Zoosk
• Tinder
• Match
• OkCupid
• Grindr
• Happn
• Coffee Meets Bagel

You’re not who I thought you were

We found hundreds of mentions of these seven brands in apps and app stores around the world. While not all of the apps listed in Fig-1 are harmful to users, the vast majority of them have nothing to do with the brands they’re leveraging. Because these brands have no control over the content of the apps using their names, this (often fraudulent) activity can result in false brand association and the degradation of trust with consumers.

Totals of Active and Inactive Apps Found by RiskIQ (Fig-1)

App	Total Active Apps	Total Inactive Apps
Grindr	392	384
Zoosk	981	1,104
Match.com	479	452
Tinder	2,404	1,059
Coffee Meets Bagel	72	40
Happn	78	24
OkCupid	1,024	917
Total	5,430	3,980

Love hurts

Although not all the apps we found are directly harmful to end-users, many are extremely dangerous and have been blacklisted by RiskIQ as a result. These malicious dating apps were built to be used for phishing, distributing malware, or redirecting users to malicious pages:

Amount of Active and Inactive Malicious Apps Blacklisted by RiskIQ (Fig-2)

App	Active Blacklisted Apps	Inactive Blacklisted Apps
Grindr	14	34
Zoosk	67	89
Match.com	18	22
Tinder	42	26
Coffee Meets Bagel	0	1
Happn	1	0
OkCupid	48	53
Total	190	225
% of Total	3.50%	5.65%

It’s easier to ask for permissions than forgiveness

The global app ecosystem is a wild and unruly place, and not all bad apps have been blacklisted. One tell-tale sign of a malicious app is if it asks for excessive permissions or permissions that aren’t consistent with the promised function of the app. In 2017, RiskIQ found that the top-20 permissions used by both legitimate and blacklisted applications remained roughly the same as years past. This consistency shows that malicious apps are using the same behaviors as legitimate ones, only for nefarious ends.

Many of the apps in fig-1 asked for permissions that are unusual for a dating app, such as access to premium SMS and recording audio and video:

Permissions for Each App (Fig-3)

App	Record Audio	Record Video	Send SMS	Write SMS	Receive SMS	Read SMS	Flashlight	Call phone	Read Call Log
Grindr	36	0	12	7	16	12	10	20	1
Zoosk	46	1	77	1	11	6	8	17	8
Match.com	20	0	3	0	1	0	5	8	5
Tinder	38	1	93	8	26	20	15	34	13
Coffee Meets Bagel	1	0	2	0	0	0	0	0	0
Happn	5	0	1	0	0	0	2	2	1
OkCupid	48	0	42	0	9	6	4	11	3
Total	194	2	230	16	63	44	44	92	31
% of Total	3.57%	0.04%	4.24%	0.29%	1.16%	0.81%	0.81%	1.69%	0.57%

Take a swipe at malicious dating apps: How to protect yourself

This Valentine’s Day, we know threat actors are taking aim at victims looking to download romance and dating-related apps. By following these steps, you can save yourself from a broken heart:

1. Beware of too many permission requests

Users should make sure the things an app is requesting the capability to do matches up with what they expect it to do—malicious apps are much more likely to ask for vast swathes of extra permissions, well beyond what their core function would suggest they need. These might include the subtly suspicious permissions in Fig-3 above, or some that are completely out of the ordinary, such as being able to wipe a phone back to factory settings.

2. Lots of downloads or positive reviews don’t mean an app isn’t harmful

Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a threat actor was successful in fooling a lot of victims. Before downloading an app, be sure to take a look at the developer—if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation.

3. Ensure that you are only downloading apps from official app stores such as Google or Apple

RiskIQ research found that Q4 2016 brought with it a host of new malicious applications, as well as the stores to serve them, a trend we expect will continue in 2017. Cyber threat actors are starting to move away from legitimate stores such as the Apple App Store and Google Play, focusing more on feral applications and secondary hosting providers.

For example, one of the newly added stores, AllFreeAPK, shot immediately into our list of top 10 all-time providers of blacklisted applications within the first few months of being tracked.

4. Does it look credible? Trust your heart

This Valentine’s Day, make sure to take a deeper look at each app. New developers, or those that take advantage free email services (@gmail) for their developer contact, can be huge red flags—threat actors often use them to produce mass amounts of malicious apps in a short period. Also, bad grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.

Why RiskIQ?

RiskIQ differs from other monitoring systems that rely on end users employing their virus scanning tools and manual sample submissions. RiskIQ Mobile Threats provides discovery across all major app stores as well as more than 150 less common stores, including focused coverage of high-risk stores and regions for brand impersonation, malware, and fraud. In addition to unparalleled coverage of third-party app stores worldwide, RiskIQ incorporates a unique source of “feral app” binaries, or mobile apps collected outside of dedicated mobile app stores, via drive-by download for example. With this comprehensive mobile presence knowledge organizations have the unparalleled ability to:

• Monitor Google Play, Apple App Store, and more than 150 other app stores around the world to uncover rogue mobile apps
• Intelligently sort legitimate apps from modified versions, unauthorized fakes, and look-a-likes
• Go beyond just the title and description, automatically analyzing all app content and code to discover logos, brand references, and malicious code hidden within app files
• Track app versions and correlate apps across stores for efficient management and enforcement of related incidents

Methodology

To analyze the methods threat actors will employ this Valentine’s Day and where they’re targeting their malicious efforts, RiskIQ ran a keyword query of the mobile app database* looking for instances of the brand names of seven leading dating apps in the United States.

The findings confirmed that threat actors are using these well-known dating apps specifically to exploit their popularity.

*The source of RiskIQ’s Blacklists is our collection of internet data, which our collection architecture of virtual users gathers by scanning, crawling, and passive-sensing the internet—including web pages, mobile apps and stores, and a variety of social websites and apps. RiskIQ’s crawling technology covers more than 300 million mobile devices, 1.8 billion HTTP sessions, 783 global locations across more than 100 countries, 16 million mobile apps, and 300 million domain records.