Attack of the Tinder bots: ‘malicious’ download links found in dating app You might think you’re chatting up an attractive human, but they could be a malware-toting algorithm. Called Alicia.
Dating app Tinder is hugely popular around the world, with an estimated 4.2m daily users. Now those users are being warned that the service has been “invaded by bots” posing as humans.
Security firm BitDefender has identified the bots, which pose as women to engage Tinder users in text-chat, before seeming to promote a mobile game called Castle Clash, posting a link to a website called Tinderverified.com which is not owned by or associated with Tinder.
“The name of the URL gives the impression of an official page of the dating app and for extra legitimacy scammers also registered it on a reputable .com domain,” said Bitdefender’s chief security strategist Catalin Cosoi.
People clicking on the link from the UK – where Bitdefender claims Tinder has 9m registered users – are taken to “fraudulent” surveys and competitions for brands including Asda and Tesco, while US users are taken to a download page for the Castle Clash game.
Its developer, IGG, has denied being responsible for the Tinder bots, which have been spotted operating under names including Alicia, Haley and Cherry.
“We are already aware of this issue and we are currently investigating into it. We are also being victimised in this issue therefore we are grateful for being informed,” said the company in a statement provided via BitDefender.
Tinder initially described the problem – first shared publicly on Reddit in late March – as an “isolated incident”, before providing TechCrunch with an updated statement as it realised that more users were encountering the bots.
“We are aware of the accounts in question and are taking the necessary steps to remove them. Ensuring an authentic ecosystem has always been and will continue to be our top priority,” said a spokesperson.
It’s the latest security concern for Tinder, which in February was accused of having left a security flaw enabling hackers to pinpoint users’ locations unpatched for several months after being notified about it in 2013.
Read more from source