InstaAgent Pulled from App Store for Stealing User Names, Passwords

Apple has pulled the popular InstaAgent app from the App Store after discovering it was harvesting Instagram user names and passwords. The app was touted as a tool to show who had viewed your Instagram profile, but instead was sending user's logins unencrypted to a remote server.

Uh oh! More malware found on the App Store!Uh oh! More malware found on the App Store!

InstaAgent, or more properly Who Viewed Your Profile-InstaAgent, was download more than 500,000 times by people who presumably wanted to know who was looking at their Instagram profile. Instagram is a social networking service owned by Facebook that lets users post photos for others to view.

App developer and Twitter user David L-R first noted the malware and showed that it's harvesting logins without permission. In some cases, hackers then used the logins to post photos to victim's accounts. It's a safe bet that everyone who downloaded and used the app needs to change their Instagram password because it most likely has been compromised.

The app was also available for Android device users, and Google has pulled it from their app store as well. The big question now is how did this malware app make it through Apple's App Store screening process?

This isn't the first time malware slipped through the vetting process. Apple recently pulled hundreds of apps that were harvesting user information after finding a hacked version of its developer tools was being used.

In that case, developers in China used the hacked version of Xcode because the country's national firewall made downloads painfully slow. They weren't aware malware was being injected into their code, and clearly Apple didn't notice at first, either.

Like the issue with InstaAgent, it took third-party develoers to discover the issue. Apple didn't catch the malware with its screening process, and responded to the issues only after someone else pointed out where the problems were.

For the most part, the App Store screening process is keeping iPhone, iPad, and iPod touch users safe from malicious software. That said, it's getting more difficult to trust Apple's process is truly protecting users—one of the benefits we put up with as a part of the App Store's "walled garden" approach to software distribution.

App screening is a complex issue, and something Apple clearly needs to refine and improve. The company is always working to make that process better and more secure, and learns from the limited malware that does slip through. Odds are Apple has already made changes to help keep similar apps from getting onto the App Store.

[Thanks to the BBC for the heads up]