If you’ve downloaded InstaAgent, an iOS and Android app designed to let you see who’s viewed your Instagram profile, you might want to delete it from your smartphone. According to a new report, the app – whose full name is ‘Who Viewed Your Profile – InstaAgent’ – is not only storing usernames and passwords in plaintext and sending them to a remote server, but also using those very credentials to log in and post unwanted images to users’ profiles.

InstaAgent has since been removed from both the Google Play Store and iOS App Store, but so long as it’s on your phone, it can still send your information.

The exploit, first discovered by app developer Peppersoft, takes your Instagram login information and sends it via non-encrypted text to a remote server called instagram.zunamedia.com. While it’s not clear what all is done with that information, it appears InstaAgent then uses those credentials to log into accounts and post unauthorized images, a means of getting around Instagram’s restriction from letting third-party apps from uploading media.

#InstaAgent is only able to post a image in your #Instagram account because they got your account password!#hacked pic.twitter.com/0vD1OJBY9l — David Layer-Reiss (@PeppersoftDev) November 10, 2015

For anyone who has downloaded the app, either on iOS or Android smartphones, it’s highly suggested you delete the app and change all passwords associated with your Instagram login.

Surprise, surprise , #InstaAgent is also posting images without you permission in your #Instagram profile 😂 . pic.twitter.com/Syvsv71wcn — David Layer-Reiss (@PeppersoftDev) November 10, 2015

Download numbers aren’t 100% known, but from the looks of it, it appears InstaAgent could’ve amassed over one million downloads in total, split almost 50/50 between iOS and Android.

I would say "Who Viewed Your Profile – InstaAgent" is the first malware in the iOS Appstore that is downloaded half a million times. — David Layer-Reiss (@PeppersoftDev) November 10, 2015

Turker Bayram, the man behind InstaAgent has since refuted reports that accounts were compromised and apologized via the company’s main url, stating he has made ‘a terrible mistake’ and that ‘your password [were] never saved [to] unauthorized servers.’

Did you or do you have InstaAgent on your phone? If so, have you experienced any unauthorized posts on your account? Let us know in the comments below.

[via MacRumors]