Both Apple and Google have made a lot of effort to reinforce their approval systems, especially when it comes to weeding out unsecure and malicious apps. Since no system is perfect though, some apps manage to get through and actually become quite popular while they deal their malware to the world. One of those apps which has just been discovered by Peppersoft Developer David Layer-Reiss is “InstaAgent”, a malicious tool that has since been removed in all available app stores.
InstaAgent tricked users by claiming it could show them who has viewed their profiles but what it did instead was send log-in credentials to a remote server with the “Instagram.zunamedia.com” address. Account data was sent unencrypted so pretty much anyone can access them. The Instagram part of the above address should not fool anyone as a quick look at the source code reveals the app’s malicious nature.On top of the credential-stealing process, the app was also capable of logging inside affected Instagram accounts and posting pictures without user consent. Instagram does not allow third-party apps to post pictures at all but the app’s developers hid this function anyway so the approval team could not have known about it unless they took a close look at the code.
The InstaAgent app was not really popular in the US but it managed to climb the “Free Apps” ranks in other regions including the UK and Canada. On Google Play, the app gathered 100k-500K downloads before being removed and numbers are estimated to be very similar for its iOS counterpart. This means that hundreds of thousands of accounts are now at risk and anyone who uses their Instagram password for other services should change it immediately. I would also like to note that a lot of similar “Who viewed your profile” apps are still available in Google Play and the App Store but they should all be avoided. For the one legitimate app there will be a hundred malicious ones and the risk is just not worth it.