Instagram users are the target of several new credential stealing apps, appearing on Google Play as tools for either managing or boosting the number of Instagram followers.
Under the detection name Android/Spy.Inazigram, 13 malicious applications were discovered in the official Google Play store. The apps were phishing for Instagram credentials and sending them to a remote server, according to security company Eset.
While they appear to have originated in Turkey, some used English localisation to target Instagram users worldwide. Altogether, the malicious apps have been installed by up to 1,5-million users. Upon ESET’s notification, all 13-apps were removed from the store.
All the applications employed the same technique of harvesting Instagram credentials, and sending them to a remote server. To lure users into downloading, the apps promised to rapidly increase the number of followers, likes and comments on one’s Instagram account.
Ironically, the compromised accounts were used to raise follower counts of other users.
The apps require the user to log in via an Instagram lookalike screen. The credentials entered into the form are then sent to the attackers’ server in plain text. After having entered the credentials, the user will find it impossible to log in, as explained in an “incorrect password” error screen.
The error screen also features a note suggesting the user visits Instagram’s official website and verifies their account in order to sign in to the third-party app. As the victims are notified about an unauthorised attempt to log in on their behalf and promoted to verify their account as soon as they open Instagram, the note aims to lower their suspicion in advance.
If the attackers are successful and the user doesn’t recognise the threat upon seeing their Instagram’s notification, the stolen credentials can be put to further use.
Apart from an opportunity to use compromised accounts for spreading spam and ads, there are also various “business models” in which the most valuable assets such as followers, likes and comments are harvested.
ESET’s researchers have traced the servers to which the credentials are sent off and connected these to websites selling various bundles of Instgram popularity boosters.