Beware: Password-stealing InstaAgent apps have re-emerged on App Store and Google Play Store under new names.
For the second time since November, Apple has been tricked into accepting a malicious app on its App Store that basically does a similar thing – stealing users’ Instagram credentials. Google has also been deceived by the rogue app’s developer, as a replica of the app can likewise be downloaded via its app store Google Play.
The iOS app presently carries the name "InstaCare - Who cares with me?" while the Android app is named "Who Viewed Me on Instagram.” Both of these apps have thousands of users at the moment. The former is also deemed as among the most well-liked apps in Germany.
David Layer-Reiss of mobile development firm Peppersoft from Germany has uncovered this threat, pushing out a blog post containing his analysis on these new, nasty apps.
It seems disturbing that these credential-stealing apps have been built by the same developer, who goes by the name Turker Bayram.
Layer-Reiss says that as soon as users install these apps, they are instantaneously compelled to key in their Instagram username and password. The users’ credentials are then encrypted and sent out to the hacker’s server.
Upon effectively stealing the Instagram login credentials of users, the hacker then uses the stolen accounts to post spam images.
"I was astonished that Apple and Google didn’t have a closer look at his new application," says Layer-Reiss. "One should assume a developer who already published a malicious app should be watched more closely."
Kaspersky Lab has also published a blog post confirming the claims of the researcher about these apps. It has likewise provided its own investigation on the rogue apps.
"It is interesting that this application was able to pass the Apple security checks and was published without any problem, even though its controls are more restrictive, without mentioning that apparently this developer already had a history of having published a malicious application before," says Kaspersky, referring to the iOS version of the app.
Kaspersky also advises users to be aware of unidentified apps promising something that is not given by the service that they are using. Most of the time, once the functionality does not exist on the service website, it is then going to be difficult for third-party software to offer it.
In the meantime, Layer-Reiss also posted a tweet giving out a warning to Android users.
— David L-R (@PeppersoftDev) March 15, 2016