Malicious ads from third parties have been piggy-backing on the gay dating app Grindr to run a premium rate number scam.
Grindr blamed a third-party network for pushing the dodgy advert, which was withdrawn after representations from El Reg. We learned of the apparent scam after hearing from Tom, a UK-based Grindr user.
"The iOS version has recently started dialling (without any user choice, input or confirmation) a premium rate number – 0913 666 0010 – which carries a hefty connection charge and per minute rate, and even if you cancel it quickly you still get hit with the connection charge," Tom told El Reg.
"I’m not sure whether it’s malware within the app or their advertising partners – but either way Grindr has refused to respond or even acknowledge messages from users via twitter or email," he added.
A Google search for the UK number linked to the apparent scam reveals another complaint, again related to an ad for Grindr Extra. "grinder [sic] gay dating app dials this number after pop up appears on my screen advertising grinder extra," the anonymous complainant states.
Another reported being left £65 out of pocket, while a third said the number concerned charged £1 per second. El Reg reported the number and a broad outline of the scam to UK regulator PhonePayPlus.
According to Tom, the Grindr app has a history of allowing pop-up adverts and websites to appear without any interaction/input from the end users.
A quick search on Grindr + premium rate on Twitter suggests similar issues surfaced in December in the context of Grindr's Android app.
iOS apps can “auto-dial” but the user should have to click "OK" to proceed. Android apps, by contrast, ask for permission up front.
Security experts at F-Secure estimate the premium rate scam could be the result of third-party malicious ads abusing Grindr's app. "This might be possible either via a flaw – or due to a lack of policing/filtering/sanitising of what ads can do as the app itself," said Sean Sullivan, a security advisor at F-Secure.
It might possible to bypass the permission confirmation if the link is formatted in a particular way, an issue discussed in a Reddit thread last August. Another possibility is a disingenuous permission dialog box written in such a way that’s easy to trigger a call.