An app called InstaAgent was made available on Apple’s App store and Google’s Play Store recently. The app claimed that it could track who viewed your Instagram account. Unwary users downloaded it without a second thought and were unfortunately hacked. Around half a million user accounts were compromised. The malicious app read the login credentials of Instagram accounts and sent them to a remote server. The app was also using the credentials to hijack accounts and post unauthorized photos to Instagram profiles.
The app reached the top spot in the App Store’s free chart in 15 countries. Google removed the app first from its play store followed by Apple.
If you have installed InstaAgent by mistake, your Instagram account has been definitely compromised. You need to immediately uninstall the app and change your Instagram password. Instagram has also taken action by sending warning emails to InstaAgent users, alerting them to the fact that their account was probably hacked. As people tend to embrace the horrible habit of reusing passwords, you should consider changing passwords for other accounts if you used your Instagram password elsewhere.
Instagram told the BBC, “These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user’s accounts in an inappropriate way. We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password.”
“It’s certainly unusual for both the Google and Apple app stores to clear scamware like the InstaAgent profile viewing app, especially given that profile viewing scams have been around for a while and should be pretty well known to the human screeners at these app stores,” said Tod Beardsley, Principal Security Research Manager at Rapid7. “With the notable exception of the professional networking site LinkedIn, most social media platforms do not offer this ‘reverse stalking’ capability, but this doesn’t stop the hopeful from trying an app that promises to deliver on impossible functionality.” Beardsley added.