Over 100,000 Instagram users recently fell victim to a scam, giving up their passwords and accidentally ceding control of their accounts to a tricky Swedish botnet called Instlike.
Instlike tricked people because it looked legitimate. Philip Cristofar, a digital director at Volontaire, documented his experience with the tricky app, noting that he downloaded it because it had a bunch of real-looking positive user reviews. He discovered that the reason it had so many positive reviews is that the app gives you 100 free coins if you rate it in the App Store. That only equals $1 so apparently a lot of users have a very low going rate to be shills.
But despite the positive reviews, Instlike is up to no good. You sign up and it’s supposed to deliver “likes” to your Instagram photos — something people are willing to pay money for, as we found when we documented the market for fake Instagram likes. But it doesn’t just get you likes — the app also likes the photographs of others from your account.
Now, this network of automated liking isn’t nefarious in and of itself, although it does suggest that people care more about outward manifestations of social affirmation than the sentiment behind them, which is both sad and totally believable. People are willing to relinquish control of their account to allow a bot to randomly like the photos of others in return for other automated likes. I’d be a little worried the bot was liking stuff I found terrible, but I suppose the users of Instlike don’t share that concern, or their desire for a surplus of likes on their own photos outweighs the possibly unsavory photos they’re endorsing. But even though I find that line of thinking hard to understand, that’s not the scam.
Here’s where Instlike gets fishier than a pound of pickled herring: it doesn’t use the Instagram API for all of this, so it asks users for their username and password and is really just logging into their accounts remotely. And Instlike shares the bloody politics of a drug cartel: you can’t just leave. Even if you get rid of the app, users have reported that they still end up liking the photos of strangers. Once an Instliker, always an Instliker.
The good news is if you didn’t download Instlike, it’s no longer around. It was recently removed from the App Store and the Google Play Store, so if you haven’t already fallen victim, you should be in the clear. But keep on the lookout for anything developed by Anton Lobovkin, who was behind this bot.
But what about avoiding apps like Instlike? If you’re going to download an app that allows you to get random likes from others in exchange for random likes from you, you’re going down a dark path. But whatever kind of dumb app you’re downloading, NEVER GIVE YOUR PASSWORD. Legitimate apps don’t need to know your password. You can even make this tip into an acronym: NGYP. Not as catchy as YOLO but definitely effective at avoiding scams.