‘InstaAgent’ hijacks Instagram passwords and posts spam to feeds

InstaAgent iOS app

For anyone that has seen ads for an iOS app that allows Instagram users to see who has visited their profile, the results are more malicious than previously believed.

According to a new report, InstaAgent is an app that connects to an Instagram account and promises to track visitors to a user’s profile. The report indicates that the app is storing the username and password of Instagram users, and is also sending that information to a remote server.

It was discovered after an app developer from Peppersoft downloaded the app and discovered that it was putting together account usernames and passwords and sending them via clear text to the server instagram.zunamedia.com.

Add to that, InstaAgent is also using that stored information to log into users’ accounts and post unauthorized images to their feeds.

As MacRumors points out, InstaAgent isn’t all that popular in the United States, but it does see some popularity in other markets like the United Kingdom and Canada. For Android users downloading the app out of the Play Store, the userbase appears to be between 100,000 and 500,000, so it is expected the userbase for iOS users could be somewhere in the same region, all of which are potentially at risk of having their information stolen.

As it stands, Google has removed InstaAgent from the Play Store, but, as of this writing, the app is still available in the iOS App Store. For anyone that has installed the app, it would be wise to change the password for the user’s Instagram account.

[via MacRumors]