Password-Stealing Instagram App Back on the App Store Under New Names

BY Killian Bell

Published 23 Mar 2016

InstaCare screenshots

A password-stealing Instagram app that was pulled from the App Store last November has returned under new names. InstaAgent by Turker Bayram is now being offered as “Who Cares With Me – InstaDetector” and “InstaCare – Who Cares With Me” — both of which are just as malicious as the original.

InstaAgent’s dirty secret was discovered by Peppersoft developer David L-R. The app promised to tell users who had viewed their Instagram profile, but instead, it was sending their usernames and passwords to a suspicious remote server.

According to a new post from David L-R, Bayram’s new apps — which were somehow approved by Apple (and Google on Android) and also promise to show users who’s been viewing their Instagram profile — do exactly the same thing.

“I’ve analysed the app, to find out if the app steals the Instagram username password again. At first glance it did not seem to, but there is one suspect HTTPS network packed,” he explains. “This would be the second time that this developer published malware into the iOS AppStore!”

Bayram uses a trick in an attempt to disclose his tricks on both Android and iOS; he first decrypts the username and password then covertly sends it to a server along with the ID and UDID of the device used. With this information, the login details can be decrypted later.

David L-R outlines the process in the graphic below:

InstaCareFlow-768x768

With the stolen accounts, Bayram publishes spam on the hijacked Instagram feeds — most of which hopes to trick more people into downloading his apps. Lots of users have left negatives reviews on his apps after having their account details stolen.

“I went on my account to see that someone has hacked it and it says someone tried to go on from a different location,” writes one user. Another says, “I went on my acc and there was this pic that I never posted… They basically hacked by acc and posted an advertisement.”

It’s unclear how Bayram managed to get more apps past Apple’s App Store review team, but it’s certainly worrying for iOS users. You should avoid apps like this altogether to prevent your information from being stolen, even if they appear genuine.

Instagram warns that apps that don’t follow its Community Guidelines — such as these — are “likely attempts to use your account in an inappropriate way.” The company does not allow users to see who’s viewed their account, so apps that promise to show this are fakes.

[Peppersoft via MacRumors]