Malicious App 'InstaAgent' Sends Instagram Passwords to Unknown Server, Posts Spam in Users' Feeds

[sniffies]

After they remove this crap, they should remove instagram while they're at it.

Why? What's wrong with Instagram? They should remove SnapChat and Yik Yak.

Why? What's wrong with Snapchat and Yik Yak? They should remove Grindr and Facebook.

Why? What's wrong with Grindr and Facebook? They should remove Kik and Tapatalk.

Why? What's wrong with Grindr and Facebook? They should remove Twitter and Pinterest.

Why? What's wrong with Kik and Tapatalk? They should remove Path and Pinterest.

Why? What's wrong with Path and Pinterest? They should remove Storehouse and Tinder.

 

[jpgr15]

After they remove this crap, they should remove instagram while they're at it.

Why? What's wrong with Instagram? They should remove SnapChat and Yik Yak.

Why? What's wrong with Snapchat and Yik Yak? They should remove Grindr and Facebook.

Why? What's wrong with Grindr and Facebook? They should remove Kik and Tapatalk.

Why? What's wrong with Grindr and Facebook? They should remove Twitter and Pinterest.

Why? What's wrong with Kik and Tapatalk? They should remove Path and Pinterest.

Why? What's wrong with Path and Pinterest? They should remove Storehouse and Tinder.

Why? What's wrong with only these apps? They should just remove all apps from the app store!

 

[NMBob]

I don't touch those kinda apps. It just looks so suspicious. Obviously it doesn't do what it says it done. Avoid all this kind of apps at all costs people. They will cause more problems than they resolve.

If only Apple had said that.

 

[RoastingPig]

Did this app actually work or was it all bologna? if it did work i might be getting slapped with a restraining order haha

 

[shortcrust]

While it's easy to victim blame people who have been caught out by this, it highlights a big issue with the curated App Store model: many people implicitly trust that any app that Apple has allowed onto the store will not be malicious and they will therefore do stupid things (such as providing their login details)

This is a massive breach of trust by Apple and they need to take the review process a hell of a lot more seriously than they appear to be doing

It's also ironic that Google have already killed this on their store, but it's still there on the iOS store!

Spot on. The app as advertised isn't of interest to me but I probably wouldn't have thought twice about entering usernames and passwords in an app store app I thought would be useful. Not anymore, obviously.

 

[darkknight14]

Wonder how long it is going to take Apple to remove the app and also fix the hole that allowed it to get through their review system?

From memory I cant remember something like this happening before on iOS? might be wrong..

 

[rolexwatch]

The Appstore needs a report button!

 

[ErikGrim]

Did this app actually work or was it all bologna? if it did work i might be getting slapped with a restraining order haha

Of course it's bologna. That data is not available in any way. What these app do is pick a random selection of your followers and display that as if they were "looking at your profile" the most.

 

[ArtOfWarfare]

With the developers account personal information. Apple and Google should team-up to sue the people behind this. It's the only way to discourage people submitting malicious apps.

I would guess that the people live in a lawless country from which Apple is rather powerless to take any legal action against.

 

[sudo1996]

I've seen that Apple's iOS store review process is pretty lax. They approved an app I submitted a couple of years ago that uses the "exit(0)" C function call when it goes into background (e.g. when Control Center or Notification Center appears). For those who don't know, that kills the app's process immediately. Super janky. And the app was clearly a PoS in all other respects too.

Anyway, it's impossible for them to make sure an app isn't phoning home in ways it shouldn't. All these guys had to do was not send the credentials in the clear, and nobody would've noticed. A more secure policy would be to ban all apps that act as illegitimate clients for services. For example, something that logs into Facebook would only be allowed to use Facebook's login API and get a token from that. There wouldn't be any third-party Snapchat clients. You can NEVER trust an app that takes your credentials directly.

 

[chrisscottuk]

It is a shame, that Apple still hasn't taken action. It's also a shame that there isn't a report button.

I wonder if the authors other apps are affected? The clipboard viewer looks like it would have potential to a malicious mind.

 

[checker2010]

LOL at UK's Top Apps..

Don't judge us!

 

[eebrown]

Wow seems like breaches in Apple's apps are becoming more common place. Apple keeps going in this directions and they will be no better than Android and Google.

 

[eac25]

Seems like it's getting pulled from the App Store (at least in the U.S.) now (~6:17pmEST)...

 

[Benjamin Frost]

After they remove this crap, they should remove instagram while they're at it.

Why? What's wrong with Instagram? They should remove SnapChat and Yik Yak.

Why? What's wrong with Snapchat and Yik Yak? They should remove Grindr and Facebook.

Why? What's wrong with Grindr and Facebook? They should remove Kik and Tapatalk.

Why? What's wrong with Grindr and Facebook? They should remove Twitter and Pinterest.

Why? What's wrong with Kik and Tapatalk? They should remove Path and Pinterest.

Why? What's wrong with Path and Pinterest? They should remove Storehouse and Tinder.

Why? What's wrong with Storehouse and Tinder? They should remove Messenger and LinkedIn.

 

[ErikGrim]

1) How does this get past Apple?
2) What is wrong with you people?

 

[Amazing Iceman]

How could Apple let this kind of apps get approved?

The least Apple can do is report them to the FBI for prosecution.

i would imagine the #1 victims of this scam are teenagers who crave for popularity (a huge number!).
Time for them to get wiser and spend time on more productive things

 

[japanime]

Seems like it's getting pulled from the App Store (at least in the U.S.) now (~6:17pmEST)...

Now if you search for "InstaApp" in the US store, you get a list of other apps that promise to do the same thing. Makes me wonder how many of these are also stealing passwords.

 

[rdc525]

Apple have now removed it from the UK app store, and presumably all others.

Really needs looking into how this was approved in the first place:

- It sent your password in plain text to their servers (and will now have access to thousands of accounts)
- It logged into your Instagram account and posted without permission
- It had thousands of fake positive reviews
- And it couldn't even do what it advertised, show you who viewed your profile. It just gave you a list of the top 3 most likes/comments, and made you pay up to £10 to see any more.

 

[JimmyHook]

While it's easy to victim blame people who have been caught out by this, it highlights a big issue with the curated App Store model: many people implicitly trust that any app that Apple has allowed onto the store will not be malicious and they will therefore do stupid things (such as providing their login details)

This is a massive breach of trust by Apple and they need to take the review process a hell of a lot more seriously than they appear to be doing

It's also ironic that Google have already killed this on their store, but it's still there on the iOS store!

The last review by Kapersky demonstrated that Google Play had thousands more malware-infested apps than iOS. Any claim that Apple is worse than google when it comes to app security is easy to disprove and shows that the poster is disingenuous. It's a rare thing and the app review process is as perfect as it's ever going to get.

How could Apple let this kind of apps get approved?

The least Apple can do is report them to the FBI for prosecution.

i would imagine the #1 victims of this scam are teenagers who crave for popularity (a huge number!).
Time for them to get wiser and spend time on more productive things

Accidents happen. It's really easy to fix. A few slips here and there is way more preferable than Google's Play Store

 

[farewelwilliams]

How on earth did Apple approve this? Goodness. Wonder if they also posted the Facebook privacy message on their news feed, and sent money to recover their long-lost uncle in Africa.

Seems like the appropriate time for Apple to use the "kill switch" on iOS Apps and shut this thing down.

if Apple reviewed all network requests (which can be encrypted btw, so apple can't see the network requests), apps would take about 2-3 months to get reviewed

 

[shortcrust]

Accidents happen. It's really easy to fix. A few slips here and there is way more preferable than Google's Play Store

That's such a depressing attitude.

 

[gnasher729]

if Apple reviewed all network requests (which can be encrypted btw, so apple can't see the network requests), apps would take about 2-3 months to get reviewed

On the other hand, network requests are encrypted by Apple's libraries; it wouldn't be too difficult for Apple to substitute a different library during the review that allows Apple to read everything (which would be legitimate, because it would only be the information of the reviewer that could be read).

 

[Alenore]

How could Apple let this kind of apps get approved?

The least Apple can do is report them to the FBI for prosecution.

i would imagine the #1 victims of this scam are teenagers who crave for popularity (a huge number!).
Time for them to get wiser and spend time on more productive things

Spend time on more productive things... Like giving their opinion about how someone else should spend his time on an internet forum they don't even read?

 

[Analog Kid]

Spot on. The app as advertised isn't of interest to me but I probably wouldn't have thought twice about entering usernames and passwords in an app store app I thought would be useful. Not anymore, obviously.

I'm still avoiding Fantastical (the original) on OS X now that it keeps insisting that I enter my iCloud password. Isn't there an API to access my iCloud calendar?