"InstaAgent" app axed from app stores for stealing credentials

By JC Torres/Nov. 11, 2015 3:00 am EST

Some people are way too obsessed with finding out who viewed their social networking pages. Instead of relying on sanctioned analytics (which are mostly only available to brand or product owners), some resort to third party services and apps to do the snooping for them. More often than not, however, these become vehicles of viruses and malware that plague social networking sites. One such example is "Who Viewed Your Profile – InstaAgent", a mobile app that claims to do what its name says it does for Instagram, while pilfering your account name and password to do very bad stuff.

The promise is too simple to be true. Download InstaAgent and discover your would-be fans or stalkers. In order to do its magic, You will have to login to your Instagram account using the app, which should already send a flurry of red flags. The perhaps little known fact that Instagram actually prohibits uploading any content from third party apps, which would be the only reason you'll need to hand out your password, should be reason enough to suspect InstaAgent.

What the app does instead is to transmit the account username and password to a suspicious remote server. In plain text even. So not only does the owner of that server now know your Instagram account credentials, so would anyone who managed to spy or hack into that communication. To add insult to injury, InstaAgent posts images on your Instagram. Without your permission of course.

Sadly, InstaAgent seems to be quite popular in the UK and Canada, where the app has been download nearly millions of times. On Google Play Store, where the app was removed after news broke out, that might not be so surprising. But InstaAgent managed to rake in thousands of downloads on iOS as well. This is just one of the latest incidents where disguised malware successfully gets past Apple's usually stringent app scrutiny.

Sadly, the damage has mostly been done and affected users have no other recourse than to uninstall the app and change their passwords. Given human habit of reusing the same username and password pairs for other online services, those might have to be changed quickly as well.

VIA: MacRumors