Apple, Google Pull Unofficial Instagram App That Harvests Usernames And Passwords

In yet another example of why unofficial apps aren’t always to be trusted, Apple and Google have yanked an app from their app stores that was supposed to let users know who was viewing their profiles. That’s not a thing, and a developer says that the app instead acted as malware, secretly collecting usernames and passwords and using them to post spam to users’ accounts.

An app called “Who Viewed Your Profile — InstaAgent” claimed it could tell users who had been checking them out. Instead, says iOS developer David Layer Reiss (via Apple Insider), the app’s code revealed that it had been storing usernames and passwords and sending them to a remote server:

He also found that some InstaAgent users were seeing spam photos posted to their Instagram timelines, as the app had all the credentials necessary to do so:

Both Apple and Google have removed InstaAgent from their stores, but users who already have the app installed could be affected. Reiss estimates that about 500,000 people could have had their Instagram account details compromised.

Neither Apple nor Google has commented yet, but Instagram says it will be emailing users about InstaAgent, and for now, advises users to get rid of it.

“These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user’s accounts in an inappropriate way,” the social media platform said in a statement to the BBC. “We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password.”

It’s also a good idea to change your password on any other sites or apps where you use that password with the same username, or one that’s very similar to it.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.