Malicious App 'InstaAgent' Sends Instagram Passwords to Unknown Server, Posts Spam in Users' Feeds

[Alenore]

if Apple reviewed all network requests (which can be encrypted btw, so apple can't see the network requests), apps would take about 2-3 months to get reviewed

They already take 1-2 weeks. For no apparent reason : https://00f.net/2010/10/11/appstore-review-process/
Before you say "this thing is 5 years old", it was exactly the same for the last app I published, 4 months ago : a whooping 3 minutes review on an app that took over 2 months to develop. They didn't even test most of the features.

 

[Analog Kid]

Nevermind, wrong InstaAgent.

 

[tranceking26]

View attachment 599169 1) How does this get past Apple?
2) What is wrong with you people?

These apps are obviously to help those desperate people out, they cannot exist without fake internet points and must have as many people following them as possible!

That said, something like this on the app store is a worry, glad it was pulled.

 

[dumastudetto]

Accidents happen. It's really easy to fix. A few slips here and there is way more preferable than Google's Play Store

Exactly. There's no comparison between iOS and Android when it comes to the safety and security of users - iOS is the only choice when you place any kind of value on those two things.

 

[mejsric]

I just wonder what's happened in Google Play Store, any news? Is the apps has been remove also? Or the app was fine there, the developer doesn't put malware on Play Store version only he add it on iOS.

 

[garirry]

InstaAgent, an app that connects to Instagram and promises to track the people that have visited a user's Instagram account, appears to be storing the usernames and passwords of Instagram users, sending them to a suspicious remote server.

An app developer from Peppersoft downloaded InstaAgent -- full name "Who Viewed Your Profile - InstaAgent" -- and discovered it's reading Instagram account usernames and passwords, sending them via clear text to a remote server - instagram.zunamedia.com.

InstaAgent is also using the credentials to log into accounts and post unauthorized images. Instagram does not permit third-party apps to upload photos to user accounts.

While InstaAgent isn't particularly popular in the United States, it is currently the number one free app in both the United Kingdom and Canada, with thousands of downloads that puts a huge number of Instagram users at risk of having their information stolen. In the Google Play store, the app had between 100k and 500k users, and the install numbers could be similar for iOS.

Google has removed the InstaAgent Android app from the Google Play store, but InstaAgent is still available in the iOS App Store for the time being. Anyone who has downloaded InstaAgent should delete the app immediately and change their Instagram password.

​

Passwords for other sites and accounts that were the same as the Instagram password should also be changed as a precaution. We also highly recommend a password management app like 1Password, which can generate unique complex passwords for each and every site or service. Instagram also advises against installing third-party apps that don't follow its Community Guidelines.

There are dozens if not hundreds of third-party apps that promise to provide Instagram users with followers and other perks, and these kind of apps should be avoided. According to Instagram, these apps are "likely an attempt to use your account in an inappropriate way" as InstaAgent does.

Update 3:20 p.m. Pacific Time: InstaAgent has now been removed from the iOS App Store.

Article Link: Malicious App 'InstaAgent' Sends Instagram Passwords to Unknown Server, Posts Spam in Users' Feeds

Impressive that this got allowed. But glad it got removed in the end.

Why? What's wrong with Instagram? They should remove SnapChat and Yik Yak.

And Vine.

 

[aslucher24]

How on earth did Apple approve this? Goodness. Wonder if they also posted the Facebook privacy message on their news feed, and sent money to recover their long-lost uncle in Africa.

Seems like the appropriate time for Apple to use the "kill switch" on iOS Apps and shut this thing down.[/QUOTE

Literally my thoughts exactly, they have the "blacklisting" or whatever kill switch they call it, why haven't they used it?

 

[Amazing Iceman]

Spend time on more productive things... Like giving their opinion about how someone else should spend his time on an internet forum they don't even read?

So what's your point? Did you have to uninstall the app from your phone?

 

[joueboy]

I would guess that the people live in a lawless country from which Apple is rather powerless to take any legal action against.

With the money they got plus Google you mean they're still powerless? I thought money controls everything in this world. Nevermind!

 

[6836838]

Might want to avoid his other apps too

 

[Muceda]

8:52PM EST - Still available on Peru App Store

 

[Studioman]

That's such a depressing attitude.

Why because you believe any system can be perfect. Google plays the see no evil role which make exploiting their system much easier. Then no one holds them accountable for doing nothing. Just like you seem upset Apple has a rare instance out of millions of apps but Android is infested with this and worse and 75% of those users will never be fixed because their solution to fixing it is to discontinue support with known active exploits, but that doesn't matter. It's Google. I think I will take Apple's effort any day.

 

[Carlanga]

Ahh posted on t mobile thread and appeared here. Wth mr get your things right.

 

[smoking monkey]

Maybe you're spending too much time following wrong accounts or browsing way too much. Also can be age related from older people I know.

Yeah. the correct amount of time to follow accounts is ZERO!

Although I did use instagram to check my renters out. It's amazing what people will post on the net if you let them!

 

[Stirlo]

The Appstore needs a report button!

This! Though you would need to put in anti Abuse measures so that shady characters get blocked if they Misuse the report button too..

I was trying to report this as it hit my cousin last night, but didn't want to download the malware app so that I could review it! And before I knew the developer didn't have the best intentions I wanted to mail them in case they had Xcode ghost or some variant unbeknownst to them.

 

[louiek]

That's the price of vanity.

 

[69Mustang]

The last review by Kapersky demonstrated that Google Play had thousands more malware-infested apps than iOS. Any claim that Apple is worse than google when it comes to app security is easy to disprove and shows that the poster is disingenuous. It's a rare thing and the app review process is as perfect as it's ever going to get.

Somebody has issues with reading comprehension. That post in no way, shape, or form claims that Apple is worse than Google regarding App security. He simply pointed out Google removed the app first. That's it. Nothing about Google being better. You made that up. Now who's actually disingenuous?

Why because you believe any system can be perfect. Google plays the see no evil role which make exploiting their system much easier. Then no one holds them accountable for doing nothing. Just like you seem upset Apple has a rare instance out of millions of apps but Android is infested with this and worse and 75% of those users will never be fixed because their solution to fixing it is to discontinue support with known active exploits, but that doesn't matter. It's Google. I think I will take Apple's effort any day.

The App Store gets a malicious app and your answer is to write a treatise about Google and Android. Can I get 500 words on malware in Windows too? Equally as relevant.

Exactly. There's no comparison between iOS and Android when it comes to the safety and security of users - iOS is the only choice when you place any kind of value on those two things.

Ahhhh, duma. Mama bear protecting her cub. Grrrrrrrrrr.

 

[appledefenceforce]

Why? What's wrong with Snapchat and Yik Yak? They should remove Grindr and Facebook.

Why? What's wrong with Grindr and Facebook? They should remove anything Google except for Google map.

 

[appledefenceforce]

Thats what Apple's new strategy under new team.....go in big quantity, chuck quality

congratulations for being a spin doctor.

 

[MacBH928]

it makes you appreciate Jobs' vision of quality controlling all apps in the first place

 

[Tech198]

so u'r saying the review process got worse, not better ? There is no help in pleasing people is there.

 

[iPad Retina]

.

 

[Sleepwalker71]

Sorry but I'm not getting it. Why on heck someone need such app? To feel better, pump his ego or what?

 

[unplugme71]

Aren't there APIs so you don't give out passwords now.

 

[Exhale]

Wonder how long it is going to take Apple to remove the app and also fix the hole that allowed it to get through their review system?

From memory I cant remember something like this happening before on iOS? might be wrong..

This isn't uncommon at all - its just that most apps of a malicious nature don't tend to get any notable user base.

The entire reason Apple implemented privacy protections was because of the sheer quantity of apps (popular ones at that) that harvested this data and then sent it off. The protections just about stopped it completely. That system doesn't work against this type of attack though.