The app’s malicious intentions were discovered by iOS developer David L-R. After downloading InstaAgent and examining the source, he found the app sends its users’ data to a server at ‘instagram.zunamedia.com.’ It is unclear what happens to the usernames and passwords when they arrive at the server or what the intentions of the app developer are.
This collected information could be used to hack accounts, post photos without the users’ knowledge or obtain other profile details. Those who have downloaded InstaAgent should remove the app and change their Instagram password as soon as possible.
Hundreds of thousands of people are believed to be affected. The app had reached the top of the free iOS apps chart before Apple removed it today. Google responded before Apple, pulling the app from the Play Store within hours of David L-R’s first tweets. On Android, InstaAgent may have been downloaded as many as 500,000 times.
The app allowed users to view more information about their Instagram presence than the company itself usually provides. One of InstaAgent’s most advertised features let users see a list of people who have looked at their profile.
InstaAgent’s developer also broke Instagram’s terms and conditions. It was capable of posting unauthorised photos, including an image of text saying “Do you want to see people who viewed your Instagram profile?” Instagram’s API specifically says third-party photo uploads are not supported.
The incident has led to more scrutiny of the regulation procedures used by Apple and Google to verify whether an app should be made available in their store. Instagram warns against using third-party apps unless they have a history of being supportive of its platform. The company says it will be sending emails to InstaAgent users and told the BBC:
“These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user’s accounts in an inappropriate way. We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password.”
The issues with InstaAgent have affected another iOS developer. Craig Pearlman has his own app called ‘InstaAgent’ which remains available for download and has no malicious intentions. He told the BBC that users are already confusing the two, saying the malicious app’s behaviour would be “impossible to produce” in his.
Instagram users are advised against using a third-party app that claims to offer dubious features not supported by the company itself. InstaAgent constitutes a violation of Instagram’s own terms and conditions and the identity and purpose of the server it is sending details to remains unknown. David L-R notes it may be the first malware to be downloaded over 500,000 times on iOS.
