We’re all used to Instagram creeping, but this is too far. On Tuesday, Apple and Google both removed a popular third-party Instagram app from their respective app stores for illegally harvesting user information.
The InstaAgent app purported to show users who viewed your profile, a promise that has been made by malicious programs since the early days of social media. An iOS developer who goes by David-L on Twitter first brought to light the issue when he discovered the app was harvesting usernames and passwords and sending the information to an unencrypted server.
InstaAgent stored the user login information in plaintext on the sever and, in some cases, used the information to post to a user’s Instagram account without their permission. The server, hosted at instagram.zunamedia.com, has been flagged as a phishing site by CloudFlare.
In light of the discovery, Apple and Google removed InstaAgent from the iOS App Store and Google Play Store, but not before the app racked up at least 500,000 downloads. InstaAgent charted as a top downloaded app in several countries including Canada, the United Kingdom, and Germany.
Apps containing malicious code aren’t a new phenomenon, but InstaAgent marks the second major instance of a compromised product sneaking into the iOS App Store’s walled garden. Earlier this year, several apps from Chinese developers that were able to bypass Apple’s review process with a modified version of iOS development software Xcode. Those apps mined for user data until Apple wiped the App Store of them.
Other apps claiming to serve the same purpose as InstaAgent—to inform users of who visited their profile—are still available in the App Store. There is no indication that those apps are guilty of the same sort of data harvesting as InstaAgent, but they also probably aren’t providing the service they claim to be.