Google and Apple Tricked into Approving Apps Which Again Steal Instagram Credentials

Google and Apple have once more been cheated in accepting rogue applications on their App stores. The new applications steal passwords and usernames of a user's Instagram. The App of Android with 23,000 users is known as "Who Viewed Me on Instagram", whereas the iOS app is known as "InstaCare - Who cares with me". TurkerBayram developed these new apps, the iOS apps and InstaAgent Android apps are also developed by same developer, which stole credentials of Instagram during last November.

The more worrying thing is the application was developed by Turker Bayram, same developer who developed the iOS apps and InstaAgent Android apps, which were found to be secretly stealing credentials of Instagram during last November.

David Layer-Reiss of Peppersoft Development found the earlier InstaAgent apps along with the 2 new apps, and says that as soon as InstaCare is installed by the users, they are immediately forced to log on with their credentials of Instagram, which are later encrypted and sent to the server of the crook. Users are lured by the app as it pretends to tell them who all have seen their profile and can also maliciously used to have access to the user's info including contacts, credentials and profile.

InstaCare advertises as an app which shows the identity of persons who have seen your profile, and hence most users do not find it odd and filled their credentials without enquiring what actually happens to them.

Once the credentials are saved on the attacker's server, they will use them afterwards to secretly enter the hacked accounts, and post ads and spam on behalf of the user. Findings of David are also confirmed by Kaspersky security researchers, and neither Google nor Apple has deleted the malicious apps from their app stores till the time of writing this article.

It shows that it is very difficult to handle large-scale app stores efficiently and securely, as both Google and Apple got tricked again by the same developer. Softpedia.com posted on 21st March, 2016, stating that the whole situation is a little annoying because the two might have flagged the developer to begin with. The applications have not been removed from the app stores till the time of publication.

» SPAMfighter News - 3/29/2016