Apple pulls popular Instagram client 'InstaAgent' from iOS App Store after malware discovery
A popular Instagram profile analyzer was on Tuesday pulled from the iOS App Store after being outed as malware by a German developer who found the app harvesting usernames and passwords.
According to a Peppersoft developer who goes by the Twitter handle David L-R, "Who Viewed Your Profile -- InstaAgent" was a nefarious username and password harvesting tool masquerading as an app for monitoring Instagram profile visitors.
Digging into the app's code revealed sensitive account information being sent unencrypted to a remote server, instagram.zunamedia.com, and in some cases used to log in and post unauthorized photos to users' Instagram feeds. David L-R notes the remote server is not connected to Instagram's official network.
Before being yanked from the App Store, InstaAgent was a chart-topping free app in multiple countries including Canada and the UK, suggesting thousands of unsuspecting users unwittingly handed over their Instagram credentials. Hard numbers are currently unavailable, but the developer guesses as many as 500,000 users downloaded the app. The metric matches up with InstaAgent's performance on the Google Play app store, which removed the title earlier today.
While no longer available, the iOS App Store still contains Instagram profile analytics apps looking to capitalize on InstaAgent's success. Some offerings share similar titles like "Who Viewed My Profile" and "Who Viewed My Instagram Profile," while many sport icons showing a shadowy figure wearing a fedora. Instagram urges customers not download, log in or interact with third-party apps.
Making it past Apple's review process is cause for concern, but that InstaAgent remained unscrutinized as a high profile app -- a top performer in some App Store regions -- for so long is perhaps more troubling.
Apple's last dealt with a major App Store malware penetration in September when Chinese developers unknowingly used modified versions of Xcode to write and upload apps. Dubbed XcodeGhost, the rogue development program infected legitimate apps to mine user data. Apple ultimately wiped the store clean and began hosting official Xcode copies on Chinese servers to speed up download time, the main reason developers in the country had turned to unsanctioned software versions.
According to a Peppersoft developer who goes by the Twitter handle David L-R, "Who Viewed Your Profile -- InstaAgent" was a nefarious username and password harvesting tool masquerading as an app for monitoring Instagram profile visitors.
Digging into the app's code revealed sensitive account information being sent unencrypted to a remote server, instagram.zunamedia.com, and in some cases used to log in and post unauthorized photos to users' Instagram feeds. David L-R notes the remote server is not connected to Instagram's official network.
Before being yanked from the App Store, InstaAgent was a chart-topping free app in multiple countries including Canada and the UK, suggesting thousands of unsuspecting users unwittingly handed over their Instagram credentials. Hard numbers are currently unavailable, but the developer guesses as many as 500,000 users downloaded the app. The metric matches up with InstaAgent's performance on the Google Play app store, which removed the title earlier today.
While no longer available, the iOS App Store still contains Instagram profile analytics apps looking to capitalize on InstaAgent's success. Some offerings share similar titles like "Who Viewed My Profile" and "Who Viewed My Instagram Profile," while many sport icons showing a shadowy figure wearing a fedora. Instagram urges customers not download, log in or interact with third-party apps.
Making it past Apple's review process is cause for concern, but that InstaAgent remained unscrutinized as a high profile app -- a top performer in some App Store regions -- for so long is perhaps more troubling.
Apple's last dealt with a major App Store malware penetration in September when Chinese developers unknowingly used modified versions of Xcode to write and upload apps. Dubbed XcodeGhost, the rogue development program infected legitimate apps to mine user data. Apple ultimately wiped the store clean and began hosting official Xcode copies on Chinese servers to speed up download time, the main reason developers in the country had turned to unsanctioned software versions.
Comments
looks like if governments want a backdoor they need only make an app, sheesh.
What a load of crap. This is not Apple's fault. There are lots of Apps that work as third party clients to access other services (think of e-mail programs where you need to provide your e-mail and password before they can access your account).
It would be trivial for a developer of an e-mail App to store your credentials and later on send them to another server. Or, use your e-mail account to send themselves an e-mail with your information.
How do you suggest Apple check for this?
More crap. This App doesn't have the ability to harvest data from your iPhone. It simply takes credentials you supplied to access Instagram and then sends these to their own servers as well.
More crap. This App doesn't have the ability to harvest data from your iPhone. It simply takes credentials you supplied to access Instagram and then sends these to their own servers as well.
sometimes, in the land of printed letters, my sarcasm is quickly lost. i agree-- this is hardly a security snafu. i feel just as secure as i did before with ios.
In addition to pulling the app, I hope Apple suspended the developer's account/privileges.
At least not that many people were affected considering the size of the user bases of iOS and Android.
Stay safe out there.
At least not that many people were affected considering the size of the user bases of iOS and Android.
Stay safe out there.
I expect the iOS users have more to lose.
Apple needs to improve their App security verification.
It's the better iOS App security which is one big reason why many pay a bit more for Apple's devices.
Of course android Google spying is a given !
It's time Apple gets serious about this, this is happening far too often for anyone to be comfortable. Claims about caring about user data privacy are undermined by incompetent verification of apps in the Store.
What a load of crap. This is not Apple's fault. There are lots of Apps that work as third party clients to access other services (think of e-mail programs where you need to provide your e-mail and password before they can access your account).
It would be trivial for a developer of an e-mail App to store your credentials and later on send them to another server. Or, use your e-mail account to send themselves an e-mail with your information.
How do you suggest Apple check for this?
Exactly! You should not be giving your credentials to someone you don't know anything about. You do that by giving your credentials to a third party app written by someone you don't know. Running some local app is one thing, but you should be thinking twice who you give your account information to for cloud services.
That's insufficient.
Apple needs to hire a Mexican drug cartel hit team to kill the developer and his immediate family, skin his head and publish the pictures.
Then all this nonsense would come to a screeching stop.
Zero tolerance is the only way to go—you notice no more kids are bringing their home made clocks to school any more.
That makes a load of sense. I don't even answer any email if I don't know the sender. Well, with the exception of a few Nigerian officials who need my help moving small fortunes out of their country. How can I say no since they are always so upbeat, polite, and Christian?
Exactly! You should not be giving your credentials to someone you don't know anything about. You do that by giving your credentials to a third party app written by someone you don't know. Running some local app is one thing, but you should be thinking twice who you give your account information to for cloud services.
Yup. Firstly, don't use an alternative client for anything important. Instagram or Reddit or whatever are generally harmless. Step 2 is the most important: Be sure to never re-use passwords. That's the real risk of these harvesters. Get one ID & PW, get 'em all.
I guess DED now is preparing an article to defense security problems of Apple now.
And notifies local law enforcement for possible fraud and/or theft.
you can't really fight this kind of malware, because basically is the user that made the mistake of using a third party unauthorized tool, giving full credentials to access ....
it is totally unreasonable to expect Apple to analyze any single line of code of submitted apps.
What a load of crap. This is not Apple's fault. There are lots of Apps that work as third party clients to access other services (think of e-mail programs where you need to provide your e-mail and password before they can access your account).
It would be trivial for a developer of an e-mail App to store your credentials and later on send them to another server. Or, use your e-mail account to send themselves an e-mail with your information.
How do you suggest Apple check for this?
How about an API powered "Login with Instagram" ??????
This isnt Apple's fault.
It's entirely Instagram's fault. They should check the client we use to login and ban the client if it has bad security practices. Like Snapchat did.
I expect the iOS users have more to lose.
Apple needs to improve their App security verification.
It's the better iOS App security which is one big reason why many pay a bit more for Apple's devices.
Of course android Google spying is a given !
It's pretty hard to improve anything if the user is ready to give the keys away and then blame whoever.
I'd say near 100% of "hacks" start by users idiocy... You try to make these idiots safe, but it's hard even in a militarized environment let alone a commercial one where devs whine like mad if apps take one day more to get to the app store than they expected.
It's pretty hard to improve anything if the user is ready to give the keys away and then blame whoever.
I'd say near 100% of "hacks" start by users idiocy... You try to make these idiots safe, but it's hard even in a militarized environment let alone a commercial one where devs whine like mad if apps take one day more to get to the app store than they expected.
sadly, "good" malware uses users idiocy to work.....