Recently, news broke about a concerning app called InstaAgent. The app connects to the victim’s Instagram account and sends the user’s login credentials unencrypted to its servers.
Here’s what we know about the threat.
What is it?
InstaAgent, found by researcher Peppersoft, promised Instagram users that it would show them who viewed their profiles, but instead, it sent the person’s Instagram login credentials in plain text, or unencrypted, back to its servers. The app was available in both the Google Play Store as well as the Apple App Store and may have been downloaded over 500,000 times. “Plain text” transmission is concerning as someone eavesdropping on the app’s communications to its serves could theoretically see the passwords while they are in transit.
Instagram itself was not breached, however individuals’ Instagram accounts could be breached if someone found and used these passwords.
How bad is it?
We believe people should be aware of the threat and remove the app from their device.
One of the biggest problems with leaked credentials is that many people share their passwords across accounts. Oftentimes, when these credentials fall in the wrong hands, that bad actor checks those credentials across a myriad of websites to see what she can access. You want to ensure that you have different and complex passwords for any sensitive accounts.
Am I protected?
Lookout users, including both individuals and enterprises, are protected and will be alerted if InstaAgent is present on their device.
Individual Lookout users running Android or iOS 8 and below are fully protected. However, due to limitations in iOS 9, Lookout is not able to alert those individuals of this threat.
Enterprises using Lookout Mobile Threat Protection are fully protected across iOS and Android and will be alerted if InstaAgent is present on employee devices.
What else should I do?
If you have InstaAgent, look for this icon on your device:
Delete the application and immediately change your Instagram password. If you used your Instagram password across multiple accounts, you should change those passwords immediately as well.
In general, you should always do thorough research on any third-parties before allowing them access to your personal accounts. Reading developer reviews is a good place to start.