AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.
A popular Instagram profile analyzer was on Tuesday pulled from the iOS App Store after being outed as malware by a German developer who found the app harvesting usernames and passwords.
According to a Peppersoft developer who goes by the Twitter handle David L-R, "Who Viewed Your Profile — InstaAgent" was a nefarious username and password harvesting tool masquerading as an app for monitoring Instagram profile visitors.
Digging into the app's code revealed sensitive account information being sent unencrypted to a remote server, instagram.zunamedia.com, and in some cases used to log in and post unauthorized photos to users' Instagram feeds. David L-R notes the remote server is not connected to Instagram's official network.
Before being yanked from the App Store, InstaAgent was a chart-topping free app in multiple countries including Canada and the UK, suggesting thousands of unsuspecting users unwittingly handed over their Instagram credentials. Hard numbers are currently unavailable, but the developer guesses as many as 500,000 users downloaded the app. The metric matches up with InstaAgent's performance on the Google Play app store, which removed the title earlier today.
While no longer available, the iOS App Store still contains Instagram profile analytics apps looking to capitalize on InstaAgent's success. Some offerings share similar titles like "Who Viewed My Profile" and "Who Viewed My Instagram Profile," while many sport icons showing a shadowy figure wearing a fedora. Instagram urges customers not download, log in or interact with third-party apps.
Making it past Apple's review process is cause for concern, but that InstaAgent remained unscrutinized as a high profile app — a top performer in some App Store regions — for so long is perhaps more troubling.
Apple's last dealt with a major App Store malware penetration in September when Chinese developers unknowingly used modified versions of Xcode to write and upload apps. Dubbed XcodeGhost, the rogue development program infected legitimate apps to mine user data. Apple ultimately wiped the store clean and began hosting official Xcode copies on Chinese servers to speed up download time, the main reason developers in the country had turned to unsanctioned software versions.