Apple, Google Pull Popular App that Stole Instagram Passwords
A free app that purported to let users know who has viewed their Instagram profiles has been pulled by Apple and Google after it was found to be stealing users' passwords. The InstaAgent app had been downloaded at least 500,000 times from the Apple App Store, according to a developer who raised an alert on his Twitter page.
David Layer-Reiss, an iOS developer based in Germany who runs a software firm called Peppersoft, first tweeted a warning about the app yesterday with a link to the iTunes page -- now no longer available -- where users could download it. Under the header "Top news," he tweeted, " 'Who Viewed Your Profile -- InstaAgent' (iPhone) steals you (sic) Instagram password! Do not use this app!"
After the app was removed from the Apple and Google app stores, Layer-Reiss tweeted an update noting that InstaAgent "is the first malware in the iOS Appstore (sic) that is downloaded half a million times." According to other reports, InstaAgent had been downloaded from the Google Play Store between 100,000 and 500,000 times, predominantly by users in the U.K. and Canada.
App Showed 'Strange Information'
Apple did not respond to our request for comment about the app. However, a Google spokesperson told us, “All apps on Google Play are required to follow our policies. While we don’t comment on specific apps, we remove applications that violate these policies. If users come across any such apps, we encourage them to report it to our support team."
Layer-Reiss told us via e-mail that he first became suspicious about InstaAgent after spotting it in the top charts of Apple's iOS store earlier this week.
"I was wondering how they could provide information that Instagram couldn't or would not," he said, adding that after he downloaded the app, "as expected the app was showing me some strange information about my 'top' Instagram visitors."
The large number of five-star ratings for the app on the Apple store also raised questions, he said. "How could a[n] app get this much five star ratings?" he said. "That was suspect. So I analyzed the network traffic of the app."
He subsequently found that the app was sending users' account information to an unknown server, enabling someone other than them to log into and post to their Instagram accounts. While the app itself was free, it did enable in-app purchases that could cost users' money.
Users Should Change Passwords
This is the second time in as many months that apps that passed Apple's review process for listing in its store have been found to exhibit malicious behavior. Last month, Apple removed more than 250 apps from its store after the code watchdog company SourceDNA found they were based on an SDK that violated users' privacy.
In this latest instance involving InstaAgent, users who downloaded the app are being urged to change their Instagram passwords.
"Assuming the hundreds of app reviews made by the Apple or Google reviewer team, it's nearly impossible to have such a close look on the source code and on the detailed network traffic of an app," Layer-Reiss told us. However, users should watch for certain red flags before downloading third-party apps, he added.
"Every app that promises you a feature that an 'official' source (in this case Instagram) cannot provide (or is not willing), should be distrusted by users," he said.