A malicious app called InstaAgent was pulled from the App Store last November has returned under new names. InstaAgent by Turker Bayram is now being offered as “Who Cares With Me – InstaDetector” and “InstaCare – Who Cares With Me” — both of which are just as malicious as the original.
InstaAgent’s dirty secret was discovered by Peppersoft developer David L-R. The app promised to tell users who had viewed their Instagram profile, but instead, it was sending their usernames and passwords to a suspicious remote server.
Peppersoft developer David L-R, who discovered the insidious password-sniffing feature in the first InstaAgent app, last week wrote a post outlining new password stealing apps created by Bayram. Called “Who Cares With Me – InstaDetector” and “InstaCare – Who Cares With Me,” the apps are available on Android and iOS devices.
“I’ve analysed the app, to find out if the app steals the Instagram username password again. At first glance it did not seem to, but there is one suspect HTTPS network packed,” he explains. “This would be the second time that this developer published malware into the iOS AppStore!”
Multiple reviews on the iOS App Store claim that after using the malicious Instagram apps, their accounts were compromised with spam photos advertising the app that were uploaded to their feeds. As with InstaAgent, the apps show up prominently in the Top Charts in some countries, though not in the United States.
It’s unclear how Bayram managed to get more apps past Apple’s App Store review team, but it’s certainly worrying for iOS users. You should avoid apps like this altogether to prevent your information from being stolen, even if they appear genuine.
Instagram warns that apps that don’t follow its Community Guidelines – such as these – are “likely attempts to use your account in an inappropriate way”. The company does not allow users to see who’s viewed their account, so apps that promise to show this are fakes.