Researchers at IT security firm ESET discovered 13 apps which steal Instagram credentials on Google Play, placing up to 1.5 million users who installed the apps at risk.
The malicious apps were phishing for Instagram credentials and sending them to a remote server. While they appear to have originated in Turkey, some used English localisation to target Instagram users worldwide.
To lure users, the apps promised to increase the number of followers, likes and comments on a user’s Instagram account. In actuality, the compromised accounts were used to raise the follower counts of other users.
The apps guided users to login via an Instagram lookalike screen. The credentials entered were then sent to the attackers’ server in plain text. The stolen credentials could then be used to compromise accounts and spread spam and ads.
If a user downloaded one of these apps, their account might appear to have increased following and follower numbers, or they may be getting replies to comments they never posted.
While all apps have been removed from Google Play upon ESET’s notification, the company cautioned users should immediately uninstall the malicious app and change their Instagram password.
ESET warned users must not insert sensitive information into untrusted login forms of third-party apps.
To verify whether an app is to be trusted, it suggested checking the popularity of an app’s developer by numbers of installs, ratings and reviews.