New rogue app steals Google and iOS user Instagram credentials

Apple and Google have once again been deceived into accepting rogue apps on their App stores. The new apps steal a user's Instagram usernames and passwords.

The Android App with 23,000 users is called “Who Viewed Me on Instagram” and the iOS app is called “InstaCare – Who cares with me?” , and is a very popular app in Germany. The new apps were developed by Turker Bayram, the same developer who built the InstaAgent Android and iOS apps, which stole Instagram credentials last November.

David Layer-Reiss of Peppersoft Development found the two new apps and the previous InstaAgent apps and said that once users install InstaCare, they're instantly forced to login with their Instagram credentials that are then encrypted and sent to the crook's server. The app lures users by pretending to advise them who has viewed their profile and can be maliciously used to gain access to the user's info including profile, contacts and credentials.

Layer-Reiss said in his blog,  “I was astonished that Apple and Google didn't have a closer look at his new application. One should assume a developer who already published a malicious app, should be watched more closely.”

The apps have not been removed from the app stores at the time of publication.