Malicious App 'InstaAgent' Sends Instagram Passwords to Unknown Server, Posts Spam in Users' FeedsInstaAgent, an app that connects to Instagram and promises to track the people that have visited a user's Instagram account, appears to be storing the usernames and passwords of Instagram users, sending them to a suspicious remote server.
An app developer from Peppersoft
downloaded InstaAgent -- full name "Who Viewed Your Profile - InstaAgent" -- and discovered it's reading Instagram account usernames and passwords, sending them via clear text to a remote server - instagram.zunamedia.com.
<img src="
" alt="passwordzunemedia" width="750" height="201" class="aligncenter size-full wp-image-472722" />
InstaAgent is also using the credentials to log into accounts and
post unauthorized images. Instagram does not permit third-party apps to upload photos to user accounts.
<img src="
" alt="instagramunauthorizedposting" width="348" height="300" class="aligncenter size-full wp-image-472728" />
While
InstaAgent isn't particularly popular in the United States, it is currently the number one free app in both the United Kingdom and Canada, with thousands of downloads that puts a huge number of Instagram users at risk of having their information stolen. In the Google Play store, the app had between 100k and 500k users, and the install numbers could be similar for iOS.
<img src="
" alt="topapps" width="719" height="261" class="aligncenter size-full wp-image-472723" />
Google has removed the
InstaAgent Android app from the Google Play store, but
InstaAgent is still available in the iOS App Store for the time being. Anyone who has downloaded
InstaAgent should delete the app immediately and change their Instagram password.
<center><blockquote class="twitter-tweet" lang="en"><p lang="en" dir="ltr">I would say "Who Viewed Your Profile - InstaAgent" is the first malware in the iOS Appstore that is downloaded half a million times.</p>— David L-R (@PeppersoftDev)
November 10, 2015 <script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script></center>Passwords for other sites and accounts that were the same as the Instagram password should also be changed as a precaution. We also highly recommend a password management app like
1Password, which can generate unique complex passwords for each and every site or service. Instagram also advises
against installing third-party apps that don't follow its Community Guidelines.
There are dozens if not hundreds of third-party apps that promise to provide Instagram users with followers and other perks, and these kind of apps should be avoided. According to Instagram, these apps are "likely an attempt to use your account in an inappropriate way" as
InstaAgent does.
Update 3:20 p.m. Pacific Time: InstaAgent has now been removed from the iOS App Store.
<div class="linkback">Tags: <a href="
http://www.macrumors.com/roundup/instagram/"/>Instagram[/url], <a href="
http://www.macrumors.com/roundup/instaagent/"/>InstaAgent[/url] </div>
Discuss this article in our forums
<div class="feedflare">
<img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=yIl2AUoC8zA" border="0"></img>[/url]
<img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=6W8y8wAjSf4" border="0"></img>[/url]
<img src="[url]http://feeds.feedburner.com/~ff/MacRumors-Front?d=qj6IDK7rITs" border="0"></img>[/url]
</div><img src="
http://feeds.feedburner.com/~r/MacRumors-Front/~4/uTLDFKpWCtU" height="1" width="1" alt=""/>
Source:
Malicious App 'InstaAgent' Sends Instagram Passwords to Unknown Server, Posts Spam in Users' Feeds
