InstaAgent = InstaTheft – Google and Apple Move to Rid Instagram Malware

InstaAgent was an app in both the Apple App Store and the Google Play Store which claimed to show the user who was looking at their Instagram profile.

Never underestimate the vanity of millennials, since as many as half a million installed the app. It rose on the charts near Candy Crush levels. The developer was making money through in-app purchases, selling people information about the top viewers on their profile and so forth.

However, at the same time the app most likely had no idea who was actually viewing Instagram profiles, it was stealing credentials and transmitting them back to a remote server, as iOS developer David Layer-Reiss is credited with discovering. Despite unreliable metrics, one website shows the app having reached the top spot in 15 countries, a truly incredible feat for something that has less real utility than a fart prank app. Speaking to the BBC, Instagram said of the debacle:

These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user’s accounts in an inappropriate way. We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password.

To be fair, Instagram has also encouraged users not to use apps which did not present any harm, such as the one that allowed users to upload from the desktop, called Uploader for Instagram, earlier this year. The company said the app, which allowed the user to upload photos from the desktop simply by using a context menu on Finder, violated its policies. It moved with legal action on creator Caleb Benn, and the app is currently no longer available on the App Store.

Anyone who installed the InstaAgent application can assume that their account has been compromised. They should probably reset their account passwords. Hopefully, none of these hundreds of thousands of users were using passwords that might work on other major sites, but such a hope would most likely be in vain, as that practice is still somewhat common.

It was perhaps more surprising that Apple’s gatekeepers let the InstaAgent application through, as they have historically had much tighter control on what sorts of applications users have to pick from. It also remains unclear whether the InstaAgent creator will reap the rewards of his creation through the in-app purchases people were making.

Hacking of the kind that was conducted, stealing user names and passwords, can be punished pretty severely under the Computer Fraud and Abuse Act, but the government could take years to penalize the creator, if they did so at all. If nothing else, most users have a lawsuit against – somebody. Be it Google, Apple, or the creator himself, someone has to account for this software being offered in an apparently legitimate repository and then ripping off their login details.

Image from Shutterstock.



P. H. Madore has covered the cryptocurrency beat over the course of hundreds of articles for Hacked's sister site, CryptoCoinsNews, as well as some of her competitors. He is a major contributing developer to the Woodcoin project, and has made technical contributions on a number of other cryptocurrency projects. In spare time, he recently began a more personalized, weekly newsletter at