Whenever this app is used (even not finishing a survey), a new album tagging all of your friends will be created, along with another bit.ly URL in the description, trying to trick new victims. See the album page in the following image, captured when we tried to find all these "scam" applications. I'll bet all of my friends are upset.
Obviously, compared to click-jacking, this new scam is more advanced and has more impact on your network. Even more serious is the fact that the apps owners can access and control more information revealed by you. Meanwhile, these scam apps obey the ToS of Facebook: they only post given permissions.
To avoid detection or banning, the attacker used several intermediate URLs for redirection: 1) a bit.ly shortened URL, 2) a Amazon S3 URL, 3) two newly registered domains. The two transitional domains zoomdamx.com and tikoroom.com are both recently registered with an India address on 25 April 2012 and 1 May 2012, respectively.
To stop you and others being victims of this app-jacking scam, two actions need to be taken: revoke the permissions for "My Match" and remove all auto-posted albums. Go to Account Settings after logging in Facebook, click Apps on the left panel, and then click "Edit" link for every "My Match" app. Now click "Remove" link first to remove all post made by this app, and then click "Remove app" link to revoke the permission.
To summarise, click-jacking is old news now. This app-jacking might be a new trend for scammers for a while, until Facebook takes strong actions to scrutinise app creation.
For more information on how to protect your network please go to www.barracudanetworks.com/
Sign up for CIO Asia eNewsletters.