InstaAgent App Proves that Social Media View Scam is Still Effective

instaagent-appDo You Want to Know Who Viewed Your Social Media Profile?           

A lot of people do, and that's why a lot of social media profiles end up getting hacked.

Recent reports show that both Apple and Google pulled a popular app from their respective app stores after discovering its malicious nature. “Who’s Viewed Your Profile—InstaAgent” on iOS and “Who View Me—InstaAgent” on Google Play, tracking apps that promised to show who viewed on a user’s Instagram account, was taken down after they were discovered to be stealing credentials and sending those to a remote server.

German developer David Layer-Reiss took this discovery to Twitter and said, “’Who Viewed Your Profile’ #Instaagent will send your Instagram Username and Password to an unknown server!” The harvested information will then be used to hijack accounts and post images without permission from the users.

With almost a million App Store downloads before it was taken down, the app’s advertised feature piqued the interest of users, gaining enough support to take it to the top of the UK free apps chart for four days. It was also listed on the top downloads charts in the US, Canada, and Germany. Layer-Reiss furthered, “I would say ‘Who Viewed Your Profile – InstaAgent’ is the first malware in the iOS App store that is downloaded half a million times.” On the other hand, the Android version of the app got at least 100,000 downloads—a surprising number given the app's low rating of 2.2.

Instagram, the Facebook-owned platform, has previously issued a precaution among its users about these type of traps from third-party apps, “Never grant third-party access to a website or apps that aren't following our Community Guidelines orTerms of Use (including websites selling or promising free followers or likes), as it's likely an attempt to use your account in an inappropriate way.”

However, even as users have increasingly become aware of the security nightmare brought by this ruse, cybercriminals still see this as an effective bait, banking on an account owner’s growing curiosity for their nefarious ends.

This sounds like an age-old trick in the cybercriminal’s playbook, but the trick is still effective. This isn't the first time malicious parties used a "who viewed your profile" scheme to turn social media users into willing victims. Clickjacking and phishing schemes involving the Facebook Profile Viewer ruse has been proven effective. Last year, a study showed that the most effective scam on Facebook jumped on the users’ curiosity to see who viewed their profiles, accounting for 30% of the malicious links identified infecting users that year. Cyber crooks also hopped on the immense popularity of Twitter and took advantage of the fast pace it could be used to spread and bait users into clicking a malicious link. The app, named See Wh0 Viewed Y0ur Pr0file duped users into granting access to their credentials, sending out 6972 tweets in a matter of fifteen minutes.

Everyone should be aware of this fact: to date, there remains to be no legitimate, secure app that allows social media users to see who views and accesses their social media accounts. Save for LinkedIn’s “profile view” reports, social media sites and applications neither provide nor support this kind of service. Chances are, those who advertise the feature are scams that allow hackers access to a user's account.

This recent incident should also be a wake-up call for mobile users—especially iOS users—to never let their guard down. Despite the Apple's highly regarded App Store vetting process, malicious apps can still get through. And despite being ultimately caught and taken down, the app still managed to potentially compromise close to a million accounts.

[Read: How to improve security on your iOS device]


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.