The Google and Apple app stores have pulled the "InstaAgent" third-party Instagram app that claimed to inform users who viewed their social network accounts' profiles, after discovering it was malware/scamware. The malicious software might have hacked up to half million Instagram accounts and stolen passwords, before the tech giants removed them. It also sometimes posted spam photos.
The security of hundreds of thousands of the social media giant's accounts was compromised after users installed the InstaAgent app. The scamware was downloaded from Apple Store at least 500,000 times, and from Google's Play Store between 100,000 and 500,000 times.
App Annie analytics reported that the third-party app reached the top spot in the Apple App Store's free chart in 15 nations. Google pulled it first by axing the malicious app from its Play Store.
Apple Insider reported that the app's source code shows that the malware was collecting usernames and passwords, and sent them to a remote server. It also posted spam photos on some Instagram users' timelines, according to Consumerist.
Anyone who installed the InstaAgent app should assume their Instagram account's security is compromised. They should uninstall the app and then change their Instagram password.
The Facebook-owned social network told the BBC that third-party apps like InstaAgent violate the company's platform guidelines.
On November 10, Tuesday, a Reddit user warned that InstaAgent was a scam. Its developer was likely unscrupulously earning over $50,000 per day from the scam.
Rapid7's Security Research Manager Tod Beardsley explained that it was rare for Apple and Google to remove scamware like the InstaAgent profile viewing app from their app stores, according to ComputerWorld. Most social networks do not provide such "reverse stalking" functionality.