Malicious App 'InstaAgent' Sends Instagram Passwords to Unknown Server, Posts Spam in Users' Feeds

[RodDavies]

DESPITE news it had been withdrawn from App Store, I just looked from in Australia and it's still there

 

[eac25]

Might want to avoid his other apps too

8:52PM EST - Still available on Peru App Store
View attachment 599190

DESPITE news it had been withdrawn from App Store, I just looked from in Australia and it's still there

Check the O.P. - I believe you're looking at the wrong app, because the one this article is about is gone but there are several more like it with similar names. The full title and a glimpse of the icon are in the O.P.:

-- full name "Who Viewed Your Profile - InstaAgent" --

 

[Phil A.]

8:52PM EST - Still available on Peru App Store
View attachment 599190

That's not the malicious app - the malicious one just used a similar name

 

[eac25]

I just wonder what's happened in Google Play Store, any news? Is the apps has been remove also? Or the app was fine there, the developer doesn't put malware on Play Store version only he add it on iOS.

Might want to read the O.P. ...

 

[TheCoolGuy]

We are getting lots of fake apps into the AppStore while lots of good apps are rejected because some silly thing that no one cares.

So true. Look how we are struggling to get our app to App Store. In review for more than 8 days. Still in review.

 

[hagar]

Has Apple ever used their kill switch to not only remove an app from the App Store but also from all iOS devices?

I have never heard of that. Do they actually do this, or are they afraid of the backlash of people complaining apps disappearing from their phones?

 

[Mike MA]

Not good. But people should ask themselves why to download such an app anyway.

 

[farewelwilliams]

They already take 1-2 weeks. For no apparent reason : https://00f.net/2010/10/11/appstore-review-process/
Before you say "this thing is 5 years old", it was exactly the same for the last app I published, 4 months ago : a whooping 3 minutes review on an app that took over 2 months to develop. They didn't even test most of the features.

yes, I know already what the app store review process is like.

i've had an app that took literally 2 days to review. it was probably "In Review" for about 3-4 hours before processing to the app store.

i've also had apps that took 3 weeks "In Review" and got rejected.

i have apps that got rejected for ridiculous reasons like having a trademarked name mentioned in the app description.

 

[farewelwilliams]

On the other hand, network requests are encrypted by Apple's libraries; it wouldn't be too difficult for Apple to substitute a different library during the review that allows Apple to read everything (which would be legitimate, because it would only be the information of the reviewer that could be read).

what's the prevent a developer from encrypting the plain JSON payload using a different encryption? pretty easy to bypass still.
or even have some logic where if the system date is "2015", do not send password info. but if it's 2016, send password info to the servers. as long as you get it on the app store before 2016, you're good.

 

[Kajje]

As long as there are no nipple pictures in it, it passes the appstore review team.

 

[acearchie]

After they remove this crap, they should remove instagram while they're at it.

Ah the classic, because I don't like it no one should like it...

 

[zooby]

.

 

[vmachiel]

Just hire more people for the app store team already. The app store is filled with crap, and discoverability is a joke.

 

[Swampbaby985]

Why? What's wrong with Snapchat and Yik Yak? They should remove Grindr and Facebook.

What's wrong with Grindr?

 

[Tiger8]

slipped it past the monitors eh? sounds like they need some better app approvers

Like a government agency, Apple app approval seems to be more 'check the box and make sure the form looks good' rather than actually looking at the software itself.

 

[GadgetBen]

I saw this in the app store in the top 5 and I thought it didn't look right.

For a start, most savvy users would know that social media sites like Instagram don't reveal stats for users viewing your profile.

Secondly, when I read the reviews, there were loads of dummy reviews with five stars and terrible spelling and use of the English language something like "Guud get it". All of the one star reviews companied of hacking.

This should have prompted people to stay clear.

The other problem was that it stayed in the app store way too long.

Apple should have a trigger in place to review apps where more than a couple of users have commented complaining about hacking in their reviews. Hacking or hacked being the keyword that initiates the trigger.

 

[GadgetBen]

Question for the developers, how do you access an app's source code to reveal such info?

Through X-Code?

I know how to read a bit of code, how did they hide the hack? I can see it looks like some kind of token?

 

[mmm chocolate]

Weak Apple. Weak.

 

[d656]

How in the hell did this get pass Apple's verification department? What a disgrace, especially for a company known for quality and safety.

 

[NY Guitarist]

So an app is able to actually steal the instagram username and password? Or is this just a social-engineering scam that deceives users into willingly and yet unwittingly sending their info to the scammer?

 

[MH01]

Apple should fire some of its California retail employees who were participating in that lawsuit against it, and hire more people for the App Review department instead.

You realise the apps were reviewed? Maybe just fire everyone !!!

 

[phobos512]

That's such a depressing attitude.

As any service grows it's going to encounter things like this. That it's taken as long as it has is really quite remarkable, given the popularity of iOS. There are probably whole communities of folks out there in the world dedicated to finding exploits and implementing them like this just to turn a quick buck.

 

[Rafagon]

You realise the apps were reviewed? Maybe just fire everyone !!!

You're right. They need MORE employees and a much more thorough testing process. There should be an extensive checklist of tasks that a reviewer has to perform (check app code for malicious code, spam, etc.) before green-lighting a potential app. The reviewer should have to sign off on every item of the checklist. Then the app should not be approved yet--it has to go to that reviewer's supervisor who must ensure (either by random checks, or by double-checking every item on the checklist) that the process has been correctly performed. Both employees need to attach their initials to the app review log (I'm assuming something like this is already happening).

Then, accountability. Three strikes and you're out for these employees. Heck, ONE strike in the case of apps which can potentially cause serious damage or theft of data!

 

[MH01]

You're right. They need MORE employees and a much more thorough testing process. There should be an extensive checklist of tasks that a reviewer has to perform (check app code for malicious code, spam, etc.) before green-lighting a potential app. The reviewer should have to sign off on every item of the checklist. Then the app should not be approved yet--it has to go to that reviewer's supervisor who must ensure (either by random checks, or by double-checking every item on the checklist) that the process has been correctly performed. Both employees need to attach their initials to the app review log (I'm assuming something like this is already happening).

Then, accountability. Three strikes and you're out for these employees. Heck, ONE strike in the case of apps which can potentially cause serious damage or theft of data!

Apple is learning what it means to be popular and have to deal with malicious code on a regular basis. This is new territory for them, things will improve.