IRL app – a fun app for teens or a hidden mobile malware?

Ajnabee

Senior Member
Joined
Apr 25, 2018
Messages
143
Likes
66
Points
57
#1

These past months have brought a lot of attention from The media and False claims to this, at the first glance innocent-looking, a mobile application called IRL app. IRL, which stands for ‘In Real Life’, was designed to send invitations to friends to hang out in reality with each other with various theme suggestions based on interests, area, holidays and seasons. Moreover, it allows nominating friends anonymously with ‘Noms’ for their positive features and things they are good at. So what caused all the commotion?

The suspicions were raised when people started getting random messages with the unknown link: IRLAPP.io/dl/, claiming that they were nominated by their friend/classmate and if they want to see who did that, they should press on the link. Because of the previous SMS phishing campaigns that would steal contact information of the victim and distribute itself in a text message, everyone got pretty uneasy, not knowing if this is not another malware trying to infect them. Furthermore, when users and message recipients started investigating the IRL app, the Privacy Policy seemed to be rather worrisome too. These discoveries led to many questions: is IRL app malicious and is it safe to use?
Is IRL app a virus
Bottom line up front, IRL app is not a virus. It is a legitimate mobile application that has too many privileges and distorted operating principles. It is supposed to be a positive influence on teenagers to get outside and do activities together, yet includes features that are not that suitable for younger audiences. IRL App is rated for 12 year-olds and older, yet may contain:

Infrequent/Mild Profanity or Crude Humor
Infrequent/Mild Alcohol, Tobacco, or Drug Use or References
Infrequent/Mild Cartoon or Fantasy Violence
Infrequent/Mild Mature/Suggestive Themes

The creator of IRL, Abraham Shafi, said that you can only sign up at IRL app if you are at least 13 years old (which is still not an appropriate age to be exposed to violence, drug use or crude humor). Moreover, Shafi claimed: “We think our app is incredibly safe. We’re not building social media. For us, this is real social. These are friends you actually go to the movies with. Right now there’s no social media app making people feel seen. If you’re going to be playing video games, at least do it with a friend.” But vulgar characteristics are not the only issue with IRL app.
IRL application virus or safe

In the beginning, IRL app was only for iPhone users, but now it is available for Android as well. When installing this application asks for a lot of permissions, which are not necessary for this type of program, eg. Identity (accounts’ and profiles’ data), Contact list, Location, Photos and Media, Camera (asks permission to use the user’s front and back cameras), Device ID and Call information. This is what allows this application to send unregulated text messages with links for other people on your contact list, leaving them with an impression that your device got hacked. If you do not give the permission to IRL app, whenever you press on anything in that app, it will keep asking you to enable contacts and geo-location tracking so you won’t be able to enjoy it unless it gets what it wants. Very similar to other Mobile Malware.

And again A.Shafi had a comment about this intrusive behavior saying “Your contacts are needed to connect you to your friends and it’s how you invite and nominate people. Location is used to connect you to local events and personalize your experience.” While this is understandable, there should be an option not to share these personal details, if the user doesn’t want, moreover some people from the contact list may not want to receive any kind of texts containing links and ambiguous messages, therefore can result in blocking the App owner from contacting them fully.

What raises concern too is that even if IRL app is not meant to cause any harm, yet having an access to such personal information can draw attention from the real hackers, which can try hacking the company and program’s servers and breach the data and get the access to many young people’s phones and track them, spy on them via camera, hack the social media accounts, steal the identity, post and text inappropriate messages on their behalf, steal the identity and etc. And again, take a look at IRL app’s Privacy Policy and all the information they record about you.

We may also collect general non-personal information (the “General Information”) from your use of the Services and/or which you provide to us, including:

Your interests based on how you use the App;
Your gender;
Your GPS location accessible by us through the App (your “Location”). Your approximate location may also be derived from your IP address;
Certain information about your mobile device, such as, for example, advertising identifiers, the hardware model, operating system, software and file names, preferred language, unique device identifier, serial number, device motion information, and mobile network information; and
Certain standard browser information, such as your browser type, IP address, access times, and App usage data.

In using or accessing the Services, you agree and authorize us to collect and use your Personal Information and General Information in connection with the Services.

This again reminds about the Importance reading EULA. All in all, but this is not the software that parents would feel safe having their teenagers using it, no matter the nice cause, behind it.
Why did you get a message from IRL app

Online forums last couple months got flooded with questions inquiring information where are these messages saying Someone complimented you! See more on IRLAPP.io/dl or Someone you know said something nice about you. See what they said! http://hmuapp.com/dl coming from. It would not show the name who is sending the text or who is giving the ‘NOM’ so it looked like an SMS phishing campaign. After clicking on the link, the user would simply get redirected to the IRL page on App/Google store suggesting to start the download of this fun program to find out the ‘secret admirer’. Once again the CEO Shafi addressed the issue:

Texts come from people who are on the app and your number is in their contact list.

On the website itself, there are 3 main reasons which lead to you getting a suspicious text message from IRL. They all start with someone you know that has your phone number getting this IRL app and adding you as a friend on it, inviting you to do something on the app, or nominating with the ‘Nom’. But we suspect that even people who are NOT nominated, invited or added as a friend may be getting these SMS messages because the app has the permission to control the call/text traffic without your further consent.

IRL app text messages

While text messaging may have been another marketing technique to make more people download the program and get better ratings, yet the shadiness is undeniable and using someone’s contact numbers to spread is too much. Even such famous and well-known companies like Facebook or Instagram have a special optional feature which asks you if you allow text messaging from them.
How to stop IRL app messages

After so many allegations and public media attention, the company added the special section on their website saying that all you need is to simply reply “STOP” to any text message that you receive from them or contact them at their email: hello@irl.co. “We don’t want to touch people who don’t want to be texted” A. Shafi acclaimed.

In the nutshell, while IRL app has caused a lot of suspicions, it is not a virus or a malicious campaign, and yet it does demonstrate shady features, which are not expected from this socializing program. What is more there are plenty of apps that allow young people to hang out without having an access to their location or contact list. Although IRL is still in development fixing their mistakes, the recent publicity may attract not only new users but crooks too, that can one day decide to take over and use all of the collected information for unlawful reasons. The choice is yours to take a risk or stay safe.

 
Top