Just because an app has passed iTunes' verification procedure doesn't automatically mean it's safe. Take this Instagram client called "Who Viewed Your Profile -- InstaAgent" for example, which was available on both iTunes and Google Play until an iOS developer found out that it harvests usernames and passwords. It's not very popular in the US, so we wouldn't be surprised if you haven't heard of it, but in a nutshell, it's an app that monitors your Instagram profile views. Peppersoft developer David L-R took a close look at the app and revealed on Twitter that it's been sending log-in credentials (unencrypted and in cleartext, to boot) to remote server instagram.zunamedia.com. Despite that address, it's in no way connected to Instagram itself.
David also found that the app can post images on your IG account without permission, and he believes that it's been downloaded around half a million times. That's not exactly huge when it comes to app store numbers, but it means as many as half a million users could be infected. We can't find the exact application on iTunes and Google Play anymore, but we're seeing a lot of similar ones with "Who Viewed My Instagram Profile" and the like in their names. If you've ever downloaded something akin to InstaAgent, make sure to change your password, just in case.
"InstaAgent" - very strange things are happening. The username+password is sent in CLEARTEXT to the uknown servers!— David L-R (@PeppersoftDev) November 10, 2015
I would say "Who Viewed Your Profile - InstaAgent" is the first malware in the iOS Appstore that is downloaded half a million times.— David L-R (@PeppersoftDev) November 10, 2015
[Image credit: shutterstock]