An Instagram app – InstaAgent – has been flagged after a developer found it stores user names and passwords of Instagram users and sends them to an unknown server. This app basically keeps track of people visiting a user's profile.
The app's intrusive features were discovered by a Peppersoft developer who runs the Twitter handle peppersoftDev. The developer said the app -- whose full name is "Who Viewed Your Profile-InstaAgent" -- sends users' passwords and usernames in clear text to a server called instagram.zunamedia.com. InstaAgent has even been posting photos without a user's permission in his or her Instagram profile. This is because InstAgent has access to a user's credential and can log in to their Instagram accounts.
Quite a popular app, InstAgent is the first malware in the iOS App Store that has been downloaded half a million times, said peppersoftDev. Besides being popular in the US, InstAgent is one of the top apps in both UK and Canada with thousands of downloads. As for its Android version, the app had between 100,000 to 500,000 users, with installations matching iOS.
Following the discovery of the malware, Apple has removed it from the App Store. Even its Android version has been taken down from the Google Play Store.
What should you do?
Those who are currently running the app are advised to delete it as well as consider changing their Instagram passwords. Also, if you are using the similar Instagram password for other accounts, it is recommended you change them as well. As a safety measure you can use any password management app which generates unique passwords for you.
Instagram has previously warned users not to allow access to third-party apps that do not follow its guidelines, and are likely to get access to a user's account in an unauthorised manner. There are dozens of third-party apps that provide Instagram users with followers. Try and avoid such apps.