Hundreds of thousands of Instagram accounts – perhaps a half million or more – have been compromised after users installed InstaAgent, an app that claimed it could track who viewed your Instagram account. “Who Viewed Your Profile – InstaAgent” malware/scamware had been downloaded a “half million times” from Apple’s App Store and downloaded between 100,000 and 500,000 times from Google’s Play Store before Apple and Google pulled the malicious app.
After iOS app developer David Layer-Reiss, aka “PeppersoftDev,” downloaded InstaAgent, he discovered it was reading Instagram account usernames and passwords, and then sending the unencrypted passwords to a remote server. The app was also using the credentials to hijack accounts and post unauthorized photos to Instagram profiles.
While it's been reported that the app hit the top of the download charts in Canada and the UK as well as made it to the top 30 apps in Germany, App Annie analytics showed it reached the top spot in the App Store’s free chart in 15 countries. Google took action first, yanking the app from the Play Store; it took Apple a bit longer, but it too axed the malicious app.
If you installed InstaAgent, then you should assume your Instagram account is compromised; uninstall the app and change your Instagram password immediately. Instagram is supposedly sending warning emails to InstaAgent users, alerting them to the fact that their account was probably hacked. And since people tend to embrace the horrible habit of reusing passwords, you should consider changing passwords for other accounts if you used your Instagram password elsewhere.
Instagram told the BBC, “These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user's accounts in an inappropriate way. We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password.”
Yesterday Reddit user Jordan6721 warned that InstaAgent was a scam and that the developer was “likely earning thousands a day,” meaning he was “earning more than Skype.” The developer was “earning money through in-app purchases, the highest being over $10, to see the top 100 people who view your profile. Of course this is all a lie, yet he's still on the App Store, likely earning over $50k a day from a scam. To put it in perspective, it's 5 spots down from Candy Crush in the grossing charts, which earns $750k a day. Who said crime doesn't pay?”
“It’s certainly unusual for both the Google and Apple app stores to clear scamware like the InstaAgent profile viewing app, especially given that profile viewing scams have been around for a while and should be pretty well known to the human screeners at these app stores,” said Tod Beardsley, Principal Security Research Manager at Rapid7. “With the notable exception of the professional networking site LinkedIn, most social media platforms do not offer this ‘reverse stalking’ capability, but this doesn’t stop the hopeful from trying an app that promises to deliver on impossible functionality.”
While the direct motive for the malicious app developer was to spread spam links via hijacked Instagram accounts, he now has a library of about a half a million username and password combinations. Since people routinely reuse passwords for various social media sites, we recommend that anyone who mistakenly installed the InstaAgent app immediately change not only their Instagram password, but also the password for any other site where they use the same password, as well as any password that is similar enough that it could be easily guessed. For example, many people use “unique” passwords that incorporate the site’s name or an easy mnemonic, like “password.Insta” or the like. It wouldn’t be difficult to surmise that someone who used that password might also use “password.Twit” for Twitter.
Those passwords were also, incidentally, being transmitted in the clear, so there’s no telling who else also had the opportunity to collect this sensitive data.