Mobile Valentine Apps Send Love, Take Sensitive Data

Using an Android app to express your love for someone this Valentine’s Day may just earn you a slap instead of eternal gratitude. And not just because you’ll look like a cheapo.

The pink hearts and cuddly bears so ubiquitous to the season may be hiding invasive permissions that can violate your privacy, rack up your phone bill and even lead to identity theft, Bitdefender Clueful Team finds.

Seasonal apps including Valentines Day 2014 Wallpaper push permissions to access and send your location over the internet and to read your browsing history even though the app doesn’t need them to work. Valentines Day Frames even requires permission to read the user’s contact list. These permissions are most likely sought by the ad-placing network SDK.

While such an app might help someone send a message to a loved one, the Love letters for chat, status app on Google Play has permissions that can also add or modify calendar events, send emails to guests without the owners’ knowledge, read calendar events plus confidential information, directly call numbers and change audio settings.

Scams for PCs have also jumped in number. The Bitdefender anti-spam lab noticed from Jan. 22 to Jan. 23 the seasonal spam increased 10 times in volume virtually overnight – and the seasonal malicious campaign hype has barely started.

The above chart indicates a second spike in the seasonal spam flow on the 7^th of February – similar in intensity to the one registered on the 5^th of February 2013.

A sudden drop afterwards was followed by a steady growth in the number of spam that lasted until the 13^th of February 2013 – when our labs registered three times more Valentine-related spam e-mails than on the 5^th. The same trend is expected this year with the note that 2014 saw a slight decrease in the overall number of seasonal junk e-mails.

Fake diamond rings, flower arrangement deals, chocolate boxes and other online Valentine’s Day specials this year just might grab your online identity, turn your PC into a zombie in a botnet or steal credit card details.

Here are some traps scammers either throw at users or hide on the Internet around Valentine’s Day:

• eHarmony invitations for those who want to find their significant other in a singles’ community
• “Burn fat fast”, miracle tricks to get women in shape in no time – nutritionists recommend a wonder plant that does the job in a matter of days
• Dazzling discounts for flowers, plush bears, chocolate animals, picture frames, wine and gift boxes
• Valentine’s wallpaper on users’ Android devices
• The eternal luxury knock-offs – replica wrist watches and jewelry that no celebration of love could be complete without

Don’t rush into buying gifts over the Internet without a thorough preliminary check. Some data should never be shared even with people you know, let alone with those you don’t know. Don’t forget that it’s unlikely a stranger is working over the internet for your best interest.

If you want to make sure the application you are about to install won’t pry, steal or misuse in any way your personal data, get your own free Clueful app to be your privacy consultant. Clueful will offer you an expert opinion on how apps treat your privacy once you install them on your handset.

This article is based on the technical information provided courtesy Bitdefender Clueful Team and on the spam samples provided by Ionut›-Daniel Raileanu, Bitdefender Spam Researcher.

Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.