Malware Alert! This app was found to be harvesting user passwords
This is one of those user nightmare stories that make me paranoid.
Just recently, the App Store and Google Play removed a third party malicious app called “Who Viewed Your Profile – InstaAgent“. This app purportedly allowed you to monitor visitors who viewed your Instagram profile. However, a developer with a German app company, Peppersoft, was reported in this article to have downloaded the app and discovered code that showed the app “reading Instagram account usernames and passwords, sending them via clear text to a remote server – instagram.zunamedia.com”
The article went on to say that not only was the app harvesting the passwords but it was also using them to log into the harvested Instagram accounts to post unauthorized photos, bypassing Instagram’s policy of not allowing third-party apps to post pictures to user accounts.
It’s possible that many Instagram users in the United Kingdom and Canada, where it is one of the top apps, are exposed. Here are a series of tweets from a Peppersoft developer, David L-R, who goes by the Twitter handle @PeppersoftDev.
Surprise, surprise , #InstaAgent is also posting images without you permission in your #Instagram profile 😂 . pic.twitter.com/Syvsv71wcn
— David L-R (@PeppersoftDev) November 10, 2015
#InstaAgent is only able to post a image in your #Instagram account because they got your account password! #hacked pic.twitter.com/0vD1OJBY9l
— David L-R (@PeppersoftDev) November 10, 2015
I would say “Who Viewed Your Profile – InstaAgent” is the first malware in the iOS Appstore that is downloaded half a million times.
— David L-R (@PeppersoftDev) November 10, 2015
Third-party apps that provide more information about our followers can get really attractive. Analytics, demographics and other behavioral information are helpful so we can tweak our blogs and social media habits but also, to be honest, they satisfy our curiosity about our followers.
Unfortunately, for these apps to work, one has to give them express permission and in this case, it entailed keying in one’s password to link Instagram to the third-party app.
If you are one of those who previously downloaded the app, best thing to do now is this:
1. Immediately delete the app from your mobile phone or tablet
2. Go to Instagram-Options-Settings-Linked Accounts and check if the app is still listed there. If it is, unlink it from your Instagram.
3. Change your Instagram password to a random, strong one.
It may also be a good time to check your other apps for third-party app permissions and revoke those which you no longer use.