A much-downloaded third-party Instagram client has just been pulled from the App Store after it was found to have behaved maliciously.
The app in question, called Who Viewed Your Profile – InstaAgent and developed by Turker Bayram, purported to analyze users’ profiles so as to show who viewed them. But as discovered by David L-R, a developer at Color Stairs maker Peppersoft, InstaAgent did more than that without the knowledge of its users.
What it did wrong
Most alarmingly, InstaAgent harvested Instagram usernames and passwords and sent them unencrypted to an unauthorized remote server, instagram.zunamedia.com. And with this information, the app was able to upload posts to Instagram accounts without users’ permission.
Following reports of InstaAgent’s encroachment, Apple removed the malware app from the App Store, although it’s yet to officially comment on the issue and how the app came to be available on the App Store in the first place.
— David L-R (@PeppersoftDev) November 10, 2015
What you can do right
While its name may not ring a bell to most Instagram users, InstaAgent was apparently an App Store chart-topper in some markets including the U.K. and Canada, and was downloaded as many as half a million times.
For the unfortunate users who used InstaAgent, be sure to delete the app from your device, and promptly change your login credentials with Instagram and with other services where you use the same login details (which is something you shouldn’t be doing to begin with), preferably with a complex password generator like 1Password.
And for all of us, let this be a lesson on being more cautious when it comes to trusting third-party apps with our sensitive information.