Image: Apple

Google and Apple have removed a malicious third-party Instagram app that stole passwords -- but only after it had become a top-grossing app in the App Store and gained over 100,000 users from Google Play.

iOS developer David L-R yesterday raised the alarm over the app 'Who Viewed Your Profile - InstaAgent', posting on Twitter that it was storing Instagram usernames and passwords and sending it in cleartext to a remote server.

The app claimed to tell users who viewed their profile. But InstaAgent would then use those credentials to access accounts and post images in Instagram profiles promoting the app.

MacRumors noted that InstaAgent ranked as the top free app in the UK and Canada, though it was less popular in the US.

Before Google pulled down the app, it had been downloaded as many as 500,000 times from Google Play. Apple doesn't reveal how many times an app has been downloaded but David L-R estimated that the numbers would be similar for the App Store.

According to analytics firm AppAnnie, there were two InstaAgent apps on the App Store. The first, 'Who Viewed Your Profile - InstaAgent', has been removed.

A second app, called just 'InstaAgent', ensures Instagram links from Twitter open in the Instagram app rather than Safari. This second app hasn't been removed and does not appear to be linked to the malicious app, which made its App Store debut on October 10.

A user on Reddit flagged the 'Who Viewed Your Profile - InstaAgent' app as a scam yesterday, noting that it had become the top free and eighth highest-grossing iPhone app in their country's App Store, higher on the grossing chart than Skype and Netflix.

The app falsely claimed to reveal the top 100 people who viewed a user's Instagram profile and charged in excess of $10 for the purported capability through in-app purchases.

Over the years Google has responded to dozens of third-party reports of potentially harmful apps on Google Play and received criticism for having a less stringent review process than Apple for the App Store.

In this case both app stores review processes failed to detect the app until after users installed it and may have paid for a bogus service. For Apple, it marks the latest blemish on the App Store's security record, following the discovery of dozens of apps in the China App Store laced with the XCodeGhost malware.

But since Apple and Google manage payments from consumers to developers, it's unlikely that either company will pay the offending developer.

As per Google's developer terms of service, malicious scripts are prohibited and "developers must not mislead users about the apps they are selling nor about any in-app services, goods, content or functionality they are selling".

Apple declined to comment on the matter. However, the company does offer customers in the EU a 14-day refund period on apps and content purchased through its store. Problems can be lodged at reportaproblem.apple.com.

Hopefully users who did fork out for the bogus service will be refunded. ZDNet has asked Google and Apple to confirm whether or not victims can expect to be billed for the purchases. We'll update the story if we receive responses.

Read more