Malware Masquerades as Dating Apps to Steal Your Info

A new and deeply concerning mobile malware campaign is preying on people’s emotions and their smartphones. Known as SarangTrap, this sophisticated operation tricks users into downloading fake dating and social networking apps, only to quietly steal their most personal data.

Over 250 malicious apps and 80 phishing websites have been linked to the campaign, which primarily targets users in South Korea but may impact anyone around the world. These apps often look polished and real, mimicking popular platforms and offering exclusive features like “invitation-only” access to draw users in.

The Trap Behind the Invitation Code

Once installed, the apps prompt users to enter an invitation code. This seemingly harmless step is actually a setup. After the code is submitted, the app requests access to contacts, images, and other sensitive data, pretending it’s necessary for full functionality. In reality, it silently uploads this data to servers controlled by cybercriminals.

Fig 1. The app requests access to sensitive data. Source: Zimperium

On Android devices, early versions of the malware also sought access to text messages. But newer versions are more discreet. They’ve stopped asking for SMS permissions outright, helping the malware slip past security scans—while still collecting contacts, photos, and phone details.

iPhone users are targeted in a different but equally deceptive way. Instead of downloading an app directly, they’re tricked into installing a mobile configuration profile first. These profiles, typically used by businesses, allow attackers to install malicious apps and access sensitive data without triggering the usual warnings.

Deceptive Websites and Real-World Consequences

What makes SarangTrap especially dangerous is how convincingly it spreads. Hackers created over 70 active phishing websites that show up in Google search results. Many advertise dating platforms or file-sharing tools with names that sound friendly, local, and trustworthy—an effort to make users feel comfortable downloading the malicious content.

Fig 2. Icons of the fake apps used in the phishing campaigns. Source: Zimperium

In some cases, the consequences go far beyond stolen data. There have been reports of blackmail using stolen content. One victim, grieving a breakup, installed what he believed was a legitimate dating app. After engaging with a fake profile and entering a code, his device was compromised. The attackers later threatened to share sensitive videos with his family.

What You Can Do to Stay Safe

The campaign is still active and evolving. Security researchers have seen evidence that the malware is under constant development, with hackers testing new strategies to avoid detection while increasing their reach.

To protect yourself, be cautious about where you download apps. Stick to official app stores and avoid apps that ask for codes or request excessive permissions. iPhone users should be wary of installing any configuration profiles unless they come from a trusted source.

This is more than just a tech problem—it’s a digital exploitation of trust and emotion. When it comes to mobile apps, staying alert and skeptical is one of the best defenses you have.