Password-Stealing Instagram App 'InstaAgent' Reappears in App Store Under New Name

[MacRumors]

Last November, a malicious app called InstaAgent was caught storing the usernames and passwords of Instagram users, sending them to a suspicious remote server. After the app's activities came to light, Apple removed it from the App Store, but it now appears Turker Bayram, the developer behind the app has managed to get two new apps approved by Apple, (and Google) both of which are stealing Instagram account info.

Peppersoft developer David L-R, who discovered the insidious password-sniffing feature in the first InstaAgent app, last week wrote a post outlining new password stealing apps created by Bayram. Called "Who Cares With Me - InstaDetector" and "InstaCare - Who Cares With Me," the apps are available on Android and iOS devices.

The original InstaAgent app attracted Instagram users by promising to track the people who visited their Instagram account, and the two new apps make similar promises. Both apps say they display a list of users who interact most often with an Instagram account, asking users to log in with an Instagram username and password.

David L-R investigated Bayram's new apps and discovered a suspicious HTTPS packet, leading him to uncover a complex encryption process used to covertly send usernames and passwords to a third-party server and hide the evidence. He found both the Android and iOS versions of the app send Instagram account information to unknown servers.

As I had a closer look to the iOS app I found out that the app steals the Instagram password & username to send it encrypted to "unknown" servers. The "password-stealing" algorithm and the encryption seems to be the same as in "InstaCare - Who cares with me?" a new iOS app from the "InstaAgent" developer, which malicious behaviour I discovered a few days ago. A working PoC (Proof of concept for the iOS version) can be found here.

Multiple reviews on the iOS App Store claim that after using the malicious Instagram apps, their accounts were compromised with spam photos advertising the app that were uploaded to their feeds. As with InstaAgent, the apps show up prominently in the Top Charts in some countries, though not in the United States.

Bayram's ability to get multiple new apps approved by Apple after having been found guilty of harvesting Instagram account information speaks towards the glaring issues in Apple's app review policies. It is unclear how a developer who was caught operating a malicious app was able to get additional apps past Apple's radar.

There are dozens if not hundreds of low-quality third-party apps that promise to provide Instagram users with followers and other perks, which should be avoided to avoid having account information stolen. Instagram cautions against installing third-party apps that don't follow its Community Guidelines and says such apps are "likely attempts to use your account in an inappropriate way."

(Thanks, Sizofrenik!)

Article Link: Password-Stealing Instagram App 'InstaAgent' Reappears in App Store Under New Name

 

[Michaelgtrusa]

Nothing surprises me anymore.

 

[chrismail627]

Here's a suggestion: Just don't install these apps in the first place! Is it really worth the risk to know who visited your Instagram?

 

[japanime]

Why doesn't Apple pursue criminal charges against these "developers"?

 

[centauratlas]

Revoke their accounts and certificates.

 

[macs4nw]

How the hell did Apple approve these Apps knowing what they did about Bayram?

 

[thisisnotmyname]

I can see the app review process being a daunting one given the volume Apple sees in App Store but it is disturbing that this type of thing gets through once let alone repeatedly.

 

[t0mat0]

One of the really annoying things about the App Store - no real way to report these apps - one look at the reviews gives you a heads up it's a dodgy app.

Why not have a way to re-review?

 

[garirry]

Honestly, I think there's starting to be a lack of quality control from Apple. Not trying to scold them or anything, but it's been multiple times in fairly short intervals that a malicious app like this appeared on the store.

 

[TMRJIJ]

Fool Apple once - shame on them
Fool Apple twice - shame on Apple for not sending them to the white room prison the first time

 

[iThingsGurl]

Both the apps have been on the top 10 list in the Canadian App Store since a few days now.

 

[japanime]

There seem to be a lot of snakes loose in the walled garden.

 

[AbSoluTc]

Developer should have been banned the first time and any subsequent apps denied period. Not sure how someone at Apple fouled this up. It does NOT bode well for the whole "secure" thing right now.

Aren't there laws against **** like this? Can't the guy get fined/jailed? I mean we lock up people for even less these days.

 

[You are the One]

Sneaky guys out there. That's why it's important Apple continues their security and privacy fight.

Social media in general is mainly an intelligence gathering system.

 

[Agilis]

Apple seriously needs to get it together as far as apps are concerned. Apple must figure out a better way to monitor the reviews of these apps, as well as support a 'report this app' feature where a team trained in investigating such issues exists. Perhaps Apple should build some centers in different parts of the country where these specialze teams exist with a sole purpose of monitoring the app store. I'm not alone when I say that the app store review system is simply a disorganized mess and the recent lack of quality control is proof of that.

 

[zorinlynx]

What the heck possesses people to install this crap anyway?

 

[ProjectManager101]

Damn... probably the FBI can hire him to hack the iPhone, it seems anybody can except the FBI. There may even be an app for what the FBI wants. Go to the app store dudes!

 

[OneMike]

Don't put your ___ app password in anything other than ___ app. Simple practice yet some find so hard to follow.

 

[loopmein]

How the hell did Apple approve these Apps knowing what they did about Bayram?

You know, Apple is not a robotic, autonomous entity, they're human beings who make errors of judgment

 

[mwd25]

We are all human, and humans make mistakes......I get that. But for someone, on their own, who doesnt work for Apple to be the one discovering this??? For it to be this guy that finds out about it and he has to be the one to warn everyone, well, that is a major issue. Apple clearly needs to fire the people checking apps now, and hire the guy who found this issue asap.

 

[ardchoille50]

Don't put your ___ app password in anything other than ___ app. Simple practice yet some find so hard to follow.

Seriously! I don't even trust the ___ app in the App Store. I go to their website and look for an App Store link for their app. Once I find the link, I read all of the negative reviews (positive reviews can be purchased, there are folks with several iCloud accounts just for this purpose). Only then do I trust the ___ app enough to even download it. And that's after asking myself if I really need the app.

Common sense is like deodorant, the people who need it the most use it the least.

 

[mejsric]

Its useless to banned this developer, he will just create again and again.

This person should be jailed.

 

[DoctorTech]

I can see the app review process being a daunting one given the volume Apple sees in App Store but it is disturbing that this type of thing gets through once let alone repeatedly.

I agree. At a minimum the developer needs to have his account closed / certificate revoked and if laws have been broken (I'm not entirely sure on this) then prosecution would be appropriate.

 

[MacDarcy]

I didn't download any of these apps....but today I had my Instagram account hijacked. They changed my username and password, put a pic of some woman squeezing her boobs together with the caption "come lick them baby" I was like WTF?!! I don't know if they hacked my email account or my Instagram account...but luckily I was able to reset my password and reclaim my Instagram account. I really thought I lost 3 years of pictures as well as my account. We live in a new world of virtual thieves.

 

[Elian_Gonzalez]

Here's a suggestion: Just don't install these apps in the first place! Is it really worth the risk to know who visited your Instagram?

It's irresistible to human nature, just like wanting to see how many upvotes one gets. People may deny they do that, but they often do because they want to see if their bon mots received due attention.