14 DAY TRIAL // For the second time in six months, Apple has been fooled into accepting a rogue application on its App Store, which steals a user's Instagram username and password.
The app's developer also fooled Google, uploading a clone of his rogue app on the Play store as well. The Android app is named "Who Viewed Me on Instagram" and has around 23,000 users while the iOS app is named "InstaCare - Who cares with me?" and is one of the most popular apps in Germany.
Apps were developed by the same dev who stole Instagram creds last year
What's more unsettling is that the app was created by the same developer (Turker Bayram) who created the InstaAgent Android and iOS apps, which were caught last November doing the same thing, secretly stealing Instagram credentials.
According to David L-R of PeppersoftDev, the man who discovered these two new apps and the previous InstaAgent apps, once users install InstaCare, they're immediately forced to log in with their Instagram credentials, which are then encrypted and sent to the attacker's server.
Because InstaCare advertises as an app that shows you who viewed your profile, most users don't think at this as strange and enter their credentials without asking what really happens to them.
Once the attacker has the credentials saved on their server, they'll use them at later a time to secretly log on the hacked accounts and post spam and ads on the users' behalf.
Kaspersky verified the researcher's claims
Security researchers for Kaspersky have also confirmed David's findings, and at the time of writing this article, neither Apple nor Google has removed the malicious apps from their app stores.
The fact that both Apple and Google got fooled again and by the same developer shows how hard it is to manage large-scale app stores in an efficient and secure manner. Nevertheless, the entire situation is a little annoying, maybe because the two should have flagged the developer to begin with.
