InstaAgent Pulled After Stealing User Names and Passwords

A popular mobile app has been pulled from Google Play and the App Store after a researcher warned that it lifted users' names and passwords without their knowledge.

Users of InstaAgent have been urged to change their Instagram passwords immediately after the news came to light.

The app, which was popular in the UK and downloaded by hundreds of thousands of users, promised to show users who was viewing their profile.

But German developer David Layer-Reiss took to Twitter on Tuesday to warn users that the app was stealing their log-in credentials in order to do so. It was also found to be posting ads into users’ accounts.

The developer allegedly behind the controversial app, Turker Bayram, has issued an apology in broken English.

“Please be relax. Nobody account is not stolen,” he said. “Your password never saved unauthorized servers. There is nothing wrong. But again and again we apologize from our precious users.”

Not content, Layer-Reiss has raised question marks over the man behind the app and his company, “Zunamedia.”

“Another strange fact is that it is nearly impossible (for me) to identify the developer of InstaAgent (his AppStore dev name was Turker Bayram). And why didn't the #InstaAgent developer sign his statement?” he wrote in a blog post.

“And if you are making an WHOIS to the zunamedia.com server you cannot get any informations because of domains proxy. Why is he hiding his identity? Who is Zunamedia ?”

Rapid7 security research manager, Tod Beardsley, claimed it was unusual that both Google and Apple approved such a dubious looking app.

"While the direct motive for the malicious app developer was to spread spam links via hijacked Instagram accounts, he now has a library of about a half a million username and password combinations,” he explained.

“Since people routinely reuse passwords for various social media sites, we recommend that anyone who mistakenly installed the InstaAgent app immediately change not only their Instagram password, but also the password for any other site where they use the same password, as well as any password that is similar enough that it could be easily guessed.”

What’s Hot on Infosecurity Magazine?