Apple and Google have removed a popular third-party Instagram client called InstaAgent from their app stores after an iOS developer discovered that it was harvesting the usernames and passwords of Instagram members.
The ‘Who Viewed Your Profile – InstaAgent’ app claimed, as the name suggests, to be able to show Instagram users who had viewed their accounts/photos. But according to a series of tweets by Peppersoft developer David L-R, InstAgent had been sending users’ log-in details in cleartext to remote server Instagram.zunamedia.com. This address is not connected to Instagram in any way, despite its name. Furthermore, David also discovered that the app could log into users’ accounts and post photos and spam to their feeds.
Although not hugely popular in the US, InstaAgent was downloaded half a million times worldwide and was particularly well-liked in both the UK and Canada, where it became the number one app in its category. Google responded quickly to the discovery, removing InstaAgent soon after its malicious intentions were revealed. Apple took a little longer but finally removed all trace of the app a few hours after David’s tweets.
The incident should serve as a warning to anyone considering downloading similar unofficial third-party apps and services. Apple and Google have yet to comment on how InstaAgent managed to slip past their usually stringent app scrutiny and become so popular in their app stores, although it’s certainly not the first time malicious software has managed to get past the companies’ review process.
Anyone who has downloaded InstaAgent is advised to uninstall the app and change their password. If any other online services use the same login credentials, as so often is the case, then it would be a good idea to change those as well.