The ability to be aware of who has viewed your Instagram profile is one of those things that most social media users would like; and it should come as no suprise that an app that allows users to do just that became one of the most downloaded iOS apps over the weekend. Of course, it also turned out that the app happens to collect usernames and passwords.
The app in question is called “Who Viewed Your Profile — InstaAgent”, and had managed to get itself downloaded more than half a million times on iTunes (with another half a million on Google Play) before it was pulled from the store. How it managed to get past Apple’s stringent tests and quality control is still unknown, but this is not the first time that rogue apps have managed to slip through the net.
https://twitter.com/PeppersoftDev/status/664066647360151552?ref_src=twsrc%5Etfw
It was German developer, David L-R, who took the time to examine what the app was doing before anyone became aware of the issue. David discovered that InstaAgent was recording passwords and usernames in plaintext format, and then transmitting them to a remote server known as instagram.zunamedia.com. The owner of the server has not been discovered, but it is likely that it will be shut down now that it has been discovered.
In addition to stealing passwords, InstaAgent was also discovered to be posting pictures to user accounts without their knowledge. It is likely that whoever is behind the app was using it to post the pictures, considering the lack of sophistication of the attack.
https://twitter.com/PeppersoftDev/status/664116449666048000/photo/1?ref_src=twsrc%5Etfw
Anyone who has downloaded and installed InstaAgent, or similar apps, has been asked to delete it and change their passwords for security reasons. Thankfully, both Apple and Google are being proactive about removing these sorts of things from the app store; although they cannot possibly stop every piece of malware and users should really be taking extra steps to protect themselves.
[Source: Twitter, via Apple Insider]
