@PeppersoftDev

Recently a rather dubious app made its way towards the top of the iOS App Store charts. The app dubbed ‘InstaAgent’ purported to allow you to see who had most viewed your Instagram profile. Discerning users will likely recognise this as a common scam, often appearing online, however it is rare to see such an app make its way to the top of the Store charts.

InstaAgent, which was indeed a scam with malicious intent, has now been pulled from the App Store, and for good reason. The app was sending off user names and passwords – in plain text – to a third party server which was outside of Instagram’s control. Aside from the obvious privacy implications of this, the app was also posting on behalf of users and without their consent.

This maliciousness was revealed by @PeppersoftDev who dug into the behaviour of InstaAgent.

#InstaAgent is only able to post a image in your #Instagram account because they got your account password! #hacked pic.twitter.com/0vD1OJBY9l — David L-R (@ PeppersoftDev ) November 10, 2015

If you were one of the almost half a million people who downloaded this app, then you will want to change your password immediately. Instagram - and common sense - urges users not to give your password to someone you don’t know and trust and to seriously consider whether you should authorise a third-party app to access your account.

I would say "Who Viewed Your Profile - InstaAgent" is the first malware in the iOS Appstore that is downloaded half a million times. — David L-R (@ PeppersoftDev ) November 10, 2015

This is another case of: "if it’s too good to be true, then it probably is." It pays to be diligent when downloading apps, especially ones that are claiming to do the impossible; and at a time where Apple seems to be having a bit of a malware problem.

Update: The app was also pulled from the Google Play Store, and the creator apologized for his " terrible mistake" on the zunamedia website.

The statement in full reads:

We had to make a statement after abuse reports about InstaAgent application. We apologize for our precious users because of we bother them. But we bother a few users who used InstaAgent application. "David L-R" revealed background of application. But there is a point that he overlook. First of all, we must talk about application working principle. InstaAgent app is an analyze application that makes an analyze and makes an estimated list for your Instagram visitors. When you login application with your account, application examines your photos about who likes your photos most and who comment most. This people are the best visitors for your profile in theory. There is no %100 guarantee and we have stated this in application markets meta description. You can see first three users in this list for free but you had to pay to see the other users. But we have an alternative way for our users to see all list for free. If you accept to share a photo which promote our application, you could see the whole list for free. But it was not a good idea. We build this module for debug mode. We didn't publish because we learn that Instagram wasn't allow private apis for 3rd party applications usage. Again, we really apologize for our precious users because of we had a terrible mistake in some of users device got debug mode why we couldn't understand. Our idea which is we canceled has publish reluctantly. It was a terrible experience for us. Because our application has removed both mobile markets. But it was also a good training. We have too much excitement and we hurry when our aplication growed. So we couldn't develop controlled enough. And we crashed. Please be relax. Nobody account is not stolen. Your password never saved unauthorized servers. There is nothing wrong. But again and again we apologize from our precious users. Main training in this project for us and other developers, we must full develop with full controlled and full tested before publish an application and first of all we must read service providers policies carefully.

Source: appleinsider