Article Lead Image

Diego Castano / flickr (CC by 2.0) | Remix by Max Fleishman

This Instagram app may have stolen over 500,000 usernames and passwords

Insta-damn.

Photo of AJ Dellinger 

AJ Dellinger

Tech

Posted on Nov 11, 2015   Updated on May 27, 2021, 4:18 pm CDT

We’re all used to Instagram creeping, but this is too far. On Tuesday, Apple and Google both removed a popular third-party Instagram app from their respective app stores for illegally harvesting user information.

The InstaAgent app purported to show users who viewed your profile, a promise that has been made by malicious programs since the early days of social media. An iOS developer who goes by David-L on Twitter first brought to light the issue when he discovered the app was harvesting usernames and passwords and sending the information to an unencrypted server.

https://twitter.com/PeppersoftDev/status/664066647360151552

InstaAgent stored the user login information in plaintext on the sever and, in some cases, used the information to post to a user’s Instagram account without their permission. The server, hosted at instagram.zunamedia.com, has been flagged as a phishing site by CloudFlare.

https://twitter.com/PeppersoftDev/status/664116449666048000

In light of the discovery, Apple and Google removed InstaAgent from the iOS App Store and Google Play Store, but not before the app racked up at least 500,000 downloads. InstaAgent charted as a top downloaded app in several countries including Canada, the United Kingdom, and Germany.

Apps containing malicious code aren’t a new phenomenon, but InstaAgent marks the second major instance of a compromised product sneaking into the iOS App Store’s walled garden. Earlier this year, several apps from Chinese developers that were able to bypass Apple’s review process with a modified version of iOS development software Xcode. Those apps mined for user data until Apple wiped the App Store of them.

Other apps claiming to serve the same purpose as InstaAgent—to inform users of who visited their profile—are still available in the App Store. There is no indication that those apps are guilty of the same sort of data harvesting as InstaAgent, but they also probably aren’t providing the service they claim to be.

H/T Apple Insider | Photo via Diego Castano/flickr (CC by 2.0) | Remix by Max Fleishman

Share this article
*First Published: Nov 11, 2015, 2:22 pm CST

AJ Dellinger

AJ Dellinger is a seasoned technology writer whose work has appeared in Digital Trends, International Business Times, and Newsweek. In 2018, he joined Gizmodo as the nights and weekend editor.

AJ Dellinger