If you’re one of the thousands of people with an app named Who Viewed Your Profile – InstaAgent installed on your smartphone, stop using it and delete it right now. Why? Because it’s stealing your password, transferring it to a server, and then posting images on your Instagram account suggesting others should also download the app.
Updated on 11-12-2015 by Andy Boxall: Added in statement on InstaAgent supplied by the developer.
The app is a third-party Instagram client that promised to tell you who visited your Instagram account, something it could only attempt to do once you’d handed over your username and password. This function was never carried out, and seemingly the app’s sole intention was to steal Instagram logins. It has since been removed from both stores.
Developer responds to hack allegations
Following the removal of InstaAgent, the developer posted a statement online on the situation, apologizing to its users. The explanation is in broken English, but claims no accounts were stolen, and passwords were never saved on the developer’s server. “There is nothing wrong, but again and and again we apologize,” it’s written. It appears the app was developed and released with a “debug” mode active, where a photo advertising the app was posted to Instagram without authorization. This was originally a feature, and sharing the image an alternative to paying for a complete list of users visiting an Instagram account, something the app actually couldn’t offer anyway.
Was it all a mistake? A security consultant speaking to the BBC says, “Offering users an app to see who has viewed their profile is a classic way of scamming users into installing malware.” Despite the developer’s apology and explanation, the consultant says InstaAgent’s methods of collecting and sending passwords was “highly unorthodox.” The published statement doesn’t offer any explanation regarding the sending and storing of login details.
The developers behind InstaAgent say the debacle is “good training.” The team promises it will read privacy policies more carefully, and apps will be “controlled and fully tested before publishing” next time. The question is, would you want to download another app from them?
How it all started
InstaAgent’s activity was spotted by a developer who tweeted that in his estimation, it’s the first piece of iOS malware to be downloaded at least 500,000 times. The app held the number one position in the free UK and Canadian iTunes App Store chart, and was available in the Google Play Store for Android phones, where download numbers also hit the half million mark.
I would say “Who Viewed Your Profile – InstaAgent” is the first malware in the iOS Appstore that is downloaded half a million times.
— David L-R (@PeppersoftDev) November 10, 2015
What to do if you installed the app
If you have the app on your phone, uninstall it now and as a precaution, change the password to your Instagram account. The developer responsible for bringing attention to the app’s secret noted it sent the account information collected to a mysterious server, so there’s a chance any logins may be stored and used again. We’d also suggest checking your Instagram feed for any photos you didn’t post.
Using third-party apps to upload photos to Instagram is against the site’s rules, along with attempts to gain likes and followers. The app in question isn’t the only one of its type for iOS and Android, and although none of the others have been exposed as malware yet, there’s always a risk attached to handing over login credentials to unofficial apps that offer services outlawed under a site’s rules.
