Beware of iPhone “Melt” App Email and SMS Spam

It must be a sign of the times. About three weeks after my ten year old daughter had her first “phishing” experience with Genieo adware on one of our family Apple laptop computers, my older (13 year old) daughter managed to accidentally spam over 2000 people (my entire iCloud contacts list) with personalized text messages and emails. The culprits? Her dad who apparently didn’t realize letting another family member use his iCloud account for iTunes Match could also sync all iCloud contacts in his daughter’s iPhone running iOS7. (“That dad” in this story is, of course, ME.) The second culprit would be a new app the daughter installed (around 6 pm CDT today) called “Melt” which forces / tricks users into accepting terms that lets the app upload and then spam the entire iCloud contact list on the iPhone. The most important message for you to read first in this post is as follows:

If you receive a text message or email from my daughter inviting you to connect with her on “Melt,” please ignore it and delete it with my apologies.

Email spam from the “Melt” app looks like this:

SMS spam from the “Melt” app looks like this:

The text message above is one my wife received. She knew it was fishy since our daughter wouldn’t address her in a text message as “Mommy,” she’d say “Mom.” I received two phone calls earlier tonight from people who were our neighbors a few years ago when we still lived in Edmond, alerting me to the strange text messages they’d received. A quick Google search for “iPhone Melt” brought up the “Melt – Let’s be friends!” app.

The first five reviews of the app on the App Store are positive, but starting with review #6 they turn very negative. Apparently others have experienced this “involuntary spamming of all your contacts” problem.

Lessons learned so far (with more likely to come):

1. If you sync your iCloud account to another family member’s iPhone so they can use your iTunes Match, be sure your contacts don’t sync over too.
2. Beware and discuss this with your spouse and children: Read the fine print carefully before you grant ANY app or website access to your contacts or to post on your behalf. This goes not just for apps, it’s also true for Facebook apps, logging in to websites with Google or Twitter credentials, etc.
3. Security on smartphones, tablets, laptops, and other computers is VERY important and something everyone needs to discuss regularly.
4. Even smart people can be tricked into clicking YES in an acceptable use agreement that does unacceptable things.
5. Connectivity brings benefits as well as risks.
6. Take the protection of your information seriously and do what you can to remain both informed and proactively safe.
7. Use situations like these as stories you share as “teachable moments” with others, not to “play the fear card” and convince them to give up all mobile computing… but rather to help them become more informed and take reasonable steps to safeguard both their information and their security.

Any others to add? Have you run into a similar situation in your family or circle of contacts?

  by  mrdodgy 

On a related note, if you’re a Windows user you definitely need to know about the new “CryptoLocker Ransomware.” I learned about it over the weekend listening to the October 23rd “Security Now” podcast with Steve Gibson and Leo Laporte. The English WikiPedia entry for Ransomware has an evolving sub-article on CryptoLocker with external links. It’s nasty and probably the first of more “ransomware” malware programs which will be distributed globally in the months ahead, both on laptop/desktop computers as well as mobiles. The big lesson there is to have a “cold” backup of your computer data. Thankfully CryptoLocker is Windows-only, Mac users and Google Chromebook users aren’t affected. Security issues affect us all, however. We need to stay informed and do our best to act safely. Security awareness about issues like these is an important part of digital citizenship!

UPDATE 10:50 PM CST
It remains a mystery how my iCloud contacts got on my daughter’s phone and merged with hers. My son uses my AppleID for iTunes Match on his phone, but our contacts are not conflated. My daughter does NOT use my AppleID for iTunes Match and hasn’t in the past. I’m suspicious her iTunes sync settings on the laptop we used at home to backup her phone, before she started using iCloud, might be to blame. It’s also possible she used a laptop on my login at some point, and logged into her iCloud account. She has her own iCloud account on her iPhone. I’m not sure if this happened during the iOS7 upgrade process. If anyone has other ideas. please let me know!

Technorati Tags: apple, iphone, safety, melt, spam, sms, email, hack, message, warning

If you enjoyed this post and found it useful, subscribe to Wes’ free newsletter. Check out Wes’ video tutorial library, “Playing with Media.” Information about more ways to learn with Dr. Wesley Fryer are available on wesfryer.com/after.

On this day..

• Normalizing Audio in an iPad Paper Slide Video with Auphonic – 2016
• Pushing Free and Paid iPad Apps using Meraki MDM – 2015
• Make Marvelous Movies by Tony Vincent – 2014
• Enhanced iPad Videos by Greg Kulowiec at Miami Device 2014 – 2014
• Sketchnote of Show What You Know With Media by Silvia Tolisano – 2014
• Introducing the PlayingWithMedia.com Video Library – 2014
• Show What You Know with Media – 2014
• Notes from Gary Stager’s Keynote: 2012 Interactive Learning Institute #k20ili – 2012
• This Is What Learning Looks Like by Gary Stager (Nov 2012) – 2012
• Puffin Web Browser for Flash Movies on iOS – 2011