An Instagram client which was the most downloaded free app in Britain and Canada has been silently stealing usernames and passwords and uploading them to its developer’s server.

The app, marketed as “Who Viewed Your Profile - InstaAgent”, claimed to allow users of the social network to track the people that have visited their account. But users who logged into the account instead had their credentials uploaded, unencrypted, to a third-party server.

Developer David Layer-Reiss, of Peppersoft, first spotted the malicious activity and uploaded a warning to his Twitter account.

David L-R (@PeppersoftDev) I would say "Who Viewed Your Profile - InstaAgent" is the first malware in the iOS Appstore that is downloaded half a million times.

The app, which hit the top of the download charts in at least two countries, was also available on Android, where it received between 100,000 and 500,000 downloads, according to Google. Some of its velocity may have been due to another sort of malicious activity: the app posted images advertising itself direct to users’ Instagram feeds, in contravention of the site’s terms of service and without the permission of affected users.

By Wednesday morning, the app had been removed from both app stores, but hundreds of thousands of users should consider their Instagram passwords compromised. Anyone who has downloaded the app should delete it and reset their password on Instagram, as well as on any other service where they may have, inadvisably, used the same login details.