Sophos News

Instagram password stealer app yanked from App Store and Google Play

  • Paul Ducklin

    • Here’s a question:

    Would you install a mobile app that offered smartphone access to a popular online service?

    Billions of people do, for example by choosing Twitter’s dedicated mobile app instead of simply accessing the service via their mobile browser.

    Ironically, this is quite the opposite of the trend on desktop and laptop computers, where more and more products that would have been standalone software applications in the 1990s or 2000s are delivered as web content, right inside your browser.

    As a result, browser security is getting better and better, spurred on at least in part by the increasing number of vendors that depend upon the browser for the security of their own products, and thus for the security of their customers.

    But in a second irony, some mobile apps – even ones that only need to support one specific service, and aren’t general-purpose like a browser – are stuck back in the 1990s when it comes to security.

    We call this the security gap, where good looks and usability on the small screen of a mobile device often seem to push security into the background.

    We’ve written about this problem not only in popular apps such as Pinterest and Yammer (now patched), but even in banking apps, which you’d think would know better.

    OK, here’s another question:

    Would you install a mobile app that offered extra features for a popular online service?

    Millions of people do, for example by using apps like Hootsuite, a popular and perfectly respectable tool for managing your social media accounts in clever ways that software such as Twitter’s regular app doesn’t support.

    Most online services have well-defined interfaces, and clearly-arranged legal terms, by which third-party companies can join in the fun, add value for customers, and share in the revenue, rather than becoming competitors instead.

    Sounds like a win-win-win situation, and, done properly, it is.

    Now for the third question:

    How do you tell whether a third-party mobile app company really is “doing it properly”?

    For many users, the answer is very simple: stick to the App Store or Google Play.

    The impression, if not actually the promise, of Apple’s and Google’s official app outlets, is that software is carefully vetted for security and checked for malware, and thus implicitly safe to use.

    And, to be fair, you will be safer and more secure if you stick to the official markets and avoid installing apps from just anywhere.

    For example, most of the Android malware we see – and there is a lot of it about! – spreads via alternative markets or through untrusted links spread via mobile messages.

    But both Apple and Google have more than a million apps each in their official marketplaces, even though they have been running for under eight years.

    Do the arithmetic, and that means they’ve each approved well over 400 apps a day, weekends and holidays included.

    So it’s hardly surprising that the vetting process is superficial, at least by human standards, and doesn’t include anything of any substance like a proper code review or a vulnerability assessment.

    And that’s how apps like InstaAgent, which promised to help you “see people who viewed your Instgram profile”, managed to get both Apple’s and Google’s imprimatur.

    That’s despite prohibited behaviour that included capturing your Instagram login details and sending them off to InstaAgent’s own servers, and then uploading photos to your account to advertise the product.

    An independent iOS developer in Germany documented that behaviour, and wrote a compact but informative blog article about it, reaching a pithy conclusion, with which we agree wholeheartedly:

    The behaviour of InstaAgent is very, very strange. You should not use the app.

    Apparently, both Apple and Google agreed, yanking the offending app (detected by Sophos as Andr/InstaAgt-A) from their respective walled gardens.

    According to reports, the app had been downloaded more than 100,000 times from Google Play alone.

    At this point, you’re probably asking yourself a fourth question:

    Why would a mobile app work this way?

    After all, if your app becomes popular and its insecure behaviour becomes known, excommunication from the official market is the most likely result, and that’s all your development wasted.

    So why not put in a little bit of extra effort to do things properly in the first place?

    Here are three possible reasons:

    All of these reasons end in tears – even the middle one, in which we assume no active malevolence on the part of the developer.

    After all, if a developer is sloppy enough to steal your password so he doesn’t have to bother learning the proper way to program, what’s the chance he’ll store your password safely?

    In case you’re wondering, the developer of InstaAgent has published an official but almost incomprehensible “issue explanation,” in which he makes a bold but bogus claim that we reject entirely:

    Please be relax. Nobody account is not stolen. Your password never saved unauthorized servers. There is nothing wrong.

    But also has some advice for other budding mobile app developers that we agree with wholeheartedly:

    We have too much excitement and we hurry when our aplication growed. So we couldn't develop controlled enough. And we crashed... Main training in this project for us and other developers, we must full develop with full controlled and full tested before publish an application and first of all we must read service providers policies carefully.

    What to do?

    If you have ever used the InstaAgent app:

    …but you didn’t do that, did you?

    Of course, if you know someone who did share passwords, change those other passwords, too.

    This time, choose a different one for each account!