14 DAY TRIAL // Apple has removed the "Who Viewed Your Profile - InstaAgent" app from the App Store after a software developer found out that the app in question was secretly stealing Instagram credentials from its users.
David L-R of PeppersoftDev came across some serious privacy issues when analyzing the source code of InstaAgent, one of the App Store's most popular free apps, with over 500,000 downloads. The app allowed users to examine their Instagram profile and see the top users that viewed their profile.
Looking at the app's behavior, David found that InstaAgent was harvesting Instagram user credentials and sending the information to the instagram.zunamedia.com server.
This data was not even protected, being sent in unencrypted, meaning that anyone knowing what to look for could have easily intercepted transmissions and gain access to thousands of Instagram usernames and passwords in cleartext (see tweet below).
InstaAgent also had an Android version
Some users later came out and said that the app also posted messages on their behalf. The app did not require permissions from the Instagram API, so this means it was probably using the stolen usernames and passwords to do this.
Apple removed InstaAgent from the App Store when told of the issues. Google also pulled InstaAgent's Android version from the Play store. It is yet unconfirmed if the Android version also contained the spying functionality in its code.
This is not the first case of malicious apps found in the App Store. In the past two months, we had the XGhostCode disaster when an infected version of Xcode was used to automatically compile clean apps with malware, and the case of various apps that infringed on user privacy or contained malicious SDKs inside their code.
"Who Viewed Your Profile" #Instaagent will send your Instagram Username and Password to an unknown server! pic.twitter.com/8uZJljJdtO
— David L-R (@PeppersoftDev) November 10, 2015
Following the media attention to this case, Zuna Media released a public statement on its website, which you can read below.