Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,622
16,770



InstaAgent, an app that connects to Instagram and promises to track the people that have visited a user's Instagram account, appears to be storing the usernames and passwords of Instagram users, sending them to a suspicious remote server.

An app developer from Peppersoft downloaded InstaAgent -- full name "Who Viewed Your Profile - InstaAgent" -- and discovered it's reading Instagram account usernames and passwords, sending them via clear text to a remote server - instagram.zunamedia.com.

passwordzunemedia.jpg

InstaAgent is also using the credentials to log into accounts and post unauthorized images. Instagram does not permit third-party apps to upload photos to user accounts.

instagramunauthorizedposting.jpg

While InstaAgent isn't particularly popular in the United States, it is currently the number one free app in both the United Kingdom and Canada, with thousands of downloads that puts a huge number of Instagram users at risk of having their information stolen. In the Google Play store, the app had between 100k and 500k users, and the install numbers could be similar for iOS.

topapps.jpg

Google has removed the InstaAgent Android app from the Google Play store, but InstaAgent is still available in the iOS App Store for the time being. Anyone who has downloaded InstaAgent should delete the app immediately and change their Instagram password.

I would say "Who Viewed Your Profile - InstaAgent" is the first malware in the iOS Appstore that is downloaded half a million times. - David L-R (@PeppersoftDev) November 10, 2015
Passwords for other sites and accounts that were the same as the Instagram password should also be changed as a precaution. We also highly recommend a password management app like 1Password, which can generate unique complex passwords for each and every site or service. Instagram also advises against installing third-party apps that don't follow its Community Guidelines.

There are dozens if not hundreds of third-party apps that promise to provide Instagram users with followers and other perks, and these kind of apps should be avoided. According to Instagram, these apps are "likely an attempt to use your account in an inappropriate way" as InstaAgent does.

Update 3:20 p.m. Pacific Time: InstaAgent has now been removed from the iOS App Store.

Article Link: Malicious App 'InstaAgent' Sends Instagram Passwords to Unknown Server, Posts Spam in Users' Feeds
 

pgiguere1

macrumors 68020
May 28, 2009
2,161
1,127
Montreal, Canada
Not only that, but they're selling a bunch of IAPs to people claiming it will allow them to see who looked at their Instagram profile the most.

So they have two shady income sources: misleading IAPs + account spamming.
 
  • Like
Reactions: TimSHB

applerocks

macrumors regular
Jun 7, 2005
159
68
How on earth did Apple approve this? Goodness. Wonder if they also posted the Facebook privacy message on their news feed, and sent money to recover their long-lost uncle in Africa.

Seems like the appropriate time for Apple to use the "kill switch" on iOS Apps and shut this thing down.
 

Phil A.

Moderator
Staff member
Apr 2, 2006
5,711
2,868
Shropshire, UK
While it's easy to victim blame people who have been caught out by this, it highlights a big issue with the curated App Store model: many people implicitly trust that any app that Apple has allowed onto the store will not be malicious and they will therefore do stupid things (such as providing their login details)

This is a massive breach of trust by Apple and they need to take the review process a hell of a lot more seriously than they appear to be doing

It's also ironic that Google have already killed this on their store, but it's still there on the iOS store!
 

TheHateMachine

macrumors 6502a
Sep 18, 2012
846
1,354

Rafagon

macrumors 6502a
Jun 19, 2011
507
431
Miami, FL

jpgr15

macrumors 6502a
Apr 28, 2015
528
992
While it's easy to victim blame people who have been caught out by this, it highlights a big issue with the curated App Store model: many people implicitly trust that any app that Apple has allowed onto the store will not be malicious and they will therefore do stupid things (such as providing their login details)

This is a massive breach of trust by Apple and they need to take the review process a hell of a lot more seriously than they appear to be doing

It's also ironic that Google have already killed this on their store, but it's still there on the iOS store!

I agree. I'm not a developer but just an average user with some common sense. While I wouldn't download an app like this, I think most trust that if it's on the app store, it at least won't steal your personal information. I mean, even Apple says not to download anything outside of the app store. That almost implies if it is in the app store, it should be trusted.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.