Naked Security Naked Security

Instagram stalker app Ghosty yanked from Play store

It was sucking up private profiles by requiring users to hand over their logins, giving it access to whatever accounts they follow.

Ever wanted to view hidden profiles on Instagram? To stalk users who’ve chosen to make their profiles private?

Up until Tuesday morning, you could do that by using a stalker service called Ghosty. Here’s what the app developer promised on versions available on Google Play and Apple’s App Store:

Ghosty – View Hidden Instagram Profile. You can view all the profiles you want to view including hidden profiles on Instagram. You can download or share photos or videos from your Instagram profiles to your gallery. In addition, you will soon be able to access many new features related to your instagram account.

“Soon” won’t come for the app, the logo for which was the profile of snooper extraordinaire Sherlock Holmes. Ghosty was removed from Google’s Play store after Android Police found the service creating what the publication called a “stalker paradise.” Nor could I find it on Apple’s store.

In that stalker paradise/privacy dystopia, anyone could view the many private profiles Ghosty amassed by signing up users who handed over their own accounts’ data – including whatever private accounts those users follow.

As Android Police tells it, this was the deal you had to make with the devil: in order to view whatever private accounts Ghosty had managed to crowd-source, you handed over your Instagram login credentials. You also had to invite at least one other person to Ghosty in order to view private profiles. Thus did Ghosty keep expanding the pool of content it could show its users: if any of those users followed a private account, that profile got added to the content Ghosty would make available.

Android Police noted that when it looked into the app, the media outlet managed to skip past that invitation step and was still able to view at least one private profile.

Not only was the service brazenly exploiting users’ desires to get at private accounts; it was also charging them for bundles or flinging ads at them.

Ghosty isn’t new; it appeared on the Play Store in April 2019. It had been downloaded over half a million times as of 13 November.

That’s a long time for an app to be amassing content while breaking Instagram’s rules. The relevant terms of service clause that forbids what Ghosty was up to:

You can’t attempt to buy, sell, or transfer any aspect of your account (including your username) or solicit, collect, or use login credentials or badges of other users.

As Android Police points out, during the half year that Ghosty was operating, neither Facebook (Instagram’s owners) nor Google apparently did anything about it – at least, not until now.

On Saturday, a Facebook spokesperson sent a statement to Android Police saying that no, Ghosty wasn’t exploiting Instagram’s application programming interface (API), as has been done by at least one other Instagram follower app that was recently yanked. But then, why would Ghosty even need Instagram’s API, when users were simply handing over their logins to enable the service to get at the private profiles the users follow?

The Instagram spokesperson said that the company would send a cease and desist letter:

We will be sending a cease and desist letter to Ghosty ordering them to immediately stop their activities on Instagram, among other requests.

We are investigating and planning further enforcement relating to this developer.

Last week, Apple pulled another Instagram-watching app from its store. That one, called Like Patrol, was reportedly charging users a yearly fee of $80 in exchange for access to their Instagram friends’ activities on the platform, including which posts they liked and from whom. It was also reportedly offering notifications of a person’s interactions with users of specific genders. None of that information required the consent of the person being monitored.

Android Police reports that following Facebook’s cease and desist letter, Ghosty disappeared from Google’s Play store. It’s not clear whether the developer made it go poof! or if Google pulled the app.

FTC cracks down on stalker apps

The removals of Ghosty and Like Patrol follow close on the heels of the Federal Trade Commission (FTC) having settled charges with the stalker app maker Retina-X Studio in October.

Retina-X Studio, (former) maker of the snooper tools PhoneSheriff, TeenShield, SniperSpy and Mobile Spy, put the kibosh on the products in March 2018 as a result of two hacks: the first in April 2017 and the second in February 2018.

A breach of a spyware app means that data for both the snooper users and their surveillance targets get compromised, and with these tools, that’s saying a lot: Retina-X’s tools were used to track targets’ call logs (including deleted ones), text messages, photos, GPS locations, and browser histories, as well as to eavesdrop on victims, wherever they might be.

Fortunately, the FTC has said that it’s going to be paying close attention to what spyware apps get up to. Retina-X was the first stalker app the FTC has ever gone after, but it likely won’t be the last, going by what the Commission had to say about its determination to…

…hold app developers accountable for designing and marketing a dangerous product.