More like this

Security

Instascam! Apple yanks phoney app, Google follows

Popular password harvester kicked off App Store and Play

A popular but malicious fake Instagram “who viewed your profile” app has been pulled from both Apple's App Store and Google Play – but not until after between 500,000 and a million suckers downloaded it.

“Who Viewed Your Profile – InstaAgent” exploited peoples' insecurity (it's also a popular way for Twitter scam accounts to draw in the clicks) to get them to install an app that harvested user credentials, posted them to a remote server, and hijacked accounts to post unauthorised images to victims' profiles.

German iOS developer David Layer-Reiss, who goes by the Twitter handle @PeppersoftDev, discovered the hijack.

Both Apple and Google have to be marked down for letting the app past their code review processes in the first place.

United Press International says the Android version got at least 100,000 downloads in spite of a 2.2 star rating. Other estimates give the possible Android download rate at close to the App Store's half-a-million.

As a rule, El Reg would note, any third-party app promising to identify profile viewers on social media accounts should be treated as a scam. LinkedIn is a special case: there, its profile view reports is just a creepy feature. ®

Sponsored: 2016 Cyberthreat defense report