Third-party Instagram app pulled after stealing passwords

The app, called InstaAlert, was snagging usernames and passwords and sending them to a remote server, according to the developer who spotted it.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read
Enlarge Image

Change your Instagram password if you downloaded a malicious app called "Who Viewed Your Profile - InstaAgent."

David Layer-Reiss/Twitter/screenshot by Lance Whitney/CNET

Apple and Google have both put the kibosh on an app that was hijacking the passwords of Instagram users.

Known as "Who Viewed Your Profile - InstaAgent," the app claimed to help Instagram users find people who were viewing their profiles, The Guardian reported on Wednesday. Instead, the app was grabbing account credentials of Instagram users who logged into it. The app then uploaded those credentials in an unencrypted format to a third-party server, tweeted Peppersoft developer David Layer-Reiss, who caught the malicious activity.

Google has been criticized in the past for allowing malicious apps onto its Google Play store without performing a thorough review process. In this case, Apple also failed to properly vet the app. The episode shows that clever malicious apps can skirt even Apple's strict guidelines and that users face risks when downloading mobile apps, even ones as popular as InstaAgent.

Before it was removed by Apple and Google from their respective app stores, "Who Viewed Your Profile - InstaAgent" earned a spot as the top free app in the UK and Canada, though it wasn't as trendy in the US, according to MacRumors. At the Google Play store, the app could've been downloaded by as many as 500,000 users. The numbers may have been similar at Apple's App Store, Layer-Reiss speculated.

Those of you who installed "Who Viewed Your Profile - InstaAgent" should delete the app immediately and change your Instagram password. If you used the same password on any other sites, you should change that one as well. The remote server to which the passwords were uploaded -- instagram.zunamedia.com -- is identified as a suspected phishing site, so you're urged to avoid it.

"All apps on Google Play are required to follow our policies," a Google spokeswoman said. "While we don't comment on specific apps, we remove applications that violate these policies. If users come across any such apps, we encourage them to report it to our support team."

A search on the Google Play Store and the Apple App Store shows other apps that help you find people who follow you on Instagram. But you should be wary of such apps, according to Instagram.

"These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user's accounts in an inappropriate way," an Instagram spokesperson said. "We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password."

In September, Apple's App Store was hit by dozens of malicious apps built with a phony version of Apple's Xcode program, which developers use to create apps for the iPhone, iPad, Mac and Apple Watch. The company was forced to remove the infected apps and make sure that developers were using the proper version of Xcode.

Apple did not respond to CNET's request for comment.

Update, 1:15 p.m. PT: Adds comment from Instagram.