Earlier this year, users of the popular gay hookup and dating app Grindr started seeing a sharp increase in the number of attractive men saying hello to them. Handsome, muscled, and stripped to the waist, the men introduced themselves with a handful of stock greetings. "Poke." "Hey buddy." "Hey sexy." Say hello back and they’ll respond with a quick story about how incredibly frisky they are feeling. It seems that they have just gotten home from the gym, and are about to remove all their clothing. Perhaps you’d be up for a quick video chat?
In this case, what might seem too good to be true actually is. Some of the most provocative profiles on Grindr aren’t men at all, but spambots designed to lure credulous users into turning over their credit-card information. The links all point to questionable webcam sites with names like MyPassionPit, MyGayCamCrush and GaySliceCrush. After dropping a link to those sites in a Grindr chat, the spambot ceases responding, except to ask why you haven’t joined him yet.
Perhaps you'd be up for a quick video chat?
Users could be forgiven for assuming spambots wouldn’t be an issue in Grindr. The location-based app shows users only the hundred or so other users closest to them, theoretically making it difficult for spammers to target users outside their immediate vicinity. But the Grindr spambots manage to contact users from 6,000 to 7,000 miles away from the United States. They also figured out a way to circumvent Grindr’s blocking technology, hounding users with an additional invitation to join the webcam chat even after the user blocked the bot. (A bug fix in April appears to have ended that particular problem, at least for now.)
Tim Strazzere, lead research and response engineer at Lookout Mobile Security, speculates that spammers are able to spoof their location by opening Grindr in an Android emulator and searching for users in target-rich environments like New York and San Francisco. By not requiring email addresses or passwords, Grindr makes it easy for spammers to open up unlimited instances of Grindr on their computers and not worry their activity will be traced back to them. "It wouldn’t be too complicated to try to reverse-engineer the APIs they’re using and set up an app where you log into a server and say, ‘Show me everyone who’s in San Francisco,’" Strazzere said.
The world of dating apps is filled with scam artists
Spambots are not unique to Grindr; the world of dating apps is filled with scam artists. Users of dating services are perceived to be vulnerable and likely to spend money, and spammers are happy to take it. In April, fast-growing dating app Tinder began seeing spambots of its own, following a script similar to the Grindr bots. Meanwhile, the editor of Online Personals Watch told Glamour that on some sites, as many as 1 in 10 profiles are operated by scammers.
On Grindr, the app’s 6 million users are getting fed up with all the bots. "All I ever get is spam messages," lamented one lonely reviewer in the App Store. Another said the app has become "a travesty." "Filled with bots that can unblock themselves and violate your privacy," the user wrote. "Makes you wonder what else these illegal bots can do."
"Grindr is well aware of, and addresses, the spambot issue in a number of ways," the company said in an email to The Verge. Grindr employs a team of moderators to track and ban spam profiles, and regularly sends broadcast messages inside the app to discourage users from visiting the webcam sites. Grindr told The Verge that it will soon release an update that requires users to verify their accounts by providing a valid email address and creating a password. The company says that together, the new measures will significantly reduce spam.
The measures also promise to change the nature of an app that spread in part because of its anonymity. Joining Grindr requires only downloading the app and opening it up — immediately, the user is greeted with profiles of dozens of nearby men. Its profiles are essentially disposable, making it attractive to men who are closeted, cheating on their boyfriends, or who simply don’t like filling out profiles. But even as they have fueled its rise, the disposable profiles have also made Grindr easier to spam.
Competitors like Scruff and Jackd have long required users to create an account, and seem to be less prone to spam. But they’re also less popular. Verified accounts may help Grindr with its spam problem — but they’ll also make it feel more like the competition. Requiring email addresses and passwords could blunt Grindr’s momentum by chasing away men who wanted to stay completely anonymous, even to Grindr itself. But with spambots choking its servers, the company has little choice but to start using some protection.