Think of apps and you probably think of your smartphone. After all, Apple pretty much built an iPhone empire around the concept of apps and users of Android and Windows handsets are just as hooked. Truth be told though, and this 'Age of Apps' has spread far beyond the smartphone sphere. Nowhere is this more apparent than in the social media space.
Facebook is awash with apps, ranging from the useful to the useless. Many of them fall into the 'simply annoying' category, involving the distribution of games invites or high scores to the largely unimpressed and totally uninterested circle of friends of the user. Unfortunately, far more than is healthy have also come along and slotted quite nicely into the security or privacy risk category. Apps which pretend to do one harmless thing but actually perform a far more harmful other, be that leading to malware infection, spamming or phishing attempts.
One popular security risk app type on Facebook over the years has been the 'profile tracker' which promises to reveal who has been looking at your profile recently. Of course, no app can do any such thing, but that doesn't stop people falling for the scam every time such an app is released. And it doesn't stop those people from being at risk of malware infection or account hijack either. As users of the popular social media micro-blogging service Tumblr are now discovering for themselves.
Just like Facebook, Tumblr users can install a whole bunch of different apps to provide additional functionality and fun to the Tumblr experience. GFI Labs, however, has discovered one app that adds neither. Actually, that's not quite true as it does add functionality in the form of gaining itself read and write permissions so it can post and edit blog content using your account. Which isn't a lot of fun.
The ProfileStalkr app is doing a fine job of using these read and write permissions to spread the word about itself across Tumblr at the moment, picking up more naive victims along the way. It promises, as with those rogue Facebook apps I mentioned before, to reveal who has been looking at your profile on Tumblr. Unlike those Facebook apps which are best thought of as simply being a route to a cookie-cutter website with a survey (either for the purposes of relieving you of personal information or getting an illicit income for each survey completed, and often a combination of the two) the Tumblr rogue app is more of a cookie-cutter website with that survey but in addition an installable application for good measure.
The app requires users to login to Tumblr for 'authorisation' purposes and to allow the software to supposedly start tracking and analysing profile views. This also requires the user to grant ProfileStalkr read/write access to the account and an advert to spread the word is immediately posted for your circle of friends to see.
Users who have still not cottoned on, are directed to the ProfileStalkr website which encourages them to unlock the names of their stalkers by clicking on a button which pops up a survey, surprise surprise. By this point the penny will probably have dropped and off the user goes to change their password. Which solves nothing, as the 'post by email' Tumblr functionality can be used to post stuff to your 'secret address' regardless. At least until the user, assuming they were aware of the option, changed that address as well.
To remove ProfileStalkr, Tumblr users need to visit their account settings, click on the apps section where they can revoke access. GFI Labs recommends changing your login password and resetting your post by email address as additional safety measures, just in case you've fallen for some similar scam before and didn't realise it!
