Do Not Fall for Fake Instagram Helper Apps That Can Steal Your Password

Instagram Helper Apps Steal Passwords

Why are social networks so successful? Well, in short, they are thriving because people spend quite a lot of time using them. And people do this because they're interested in what the rest of the world thinks about them.

Let's be honest, if we didn't care whether other people "like" (both in terms of clicking a thumbs-up button and in the more traditional sense) the cat videos we share, we would be keeping them to ourselves. If we weren't interested in whether other users agree with our political opinions, we wouldn't be using Twitter to express them. The (ugly for some) truth is, we are in love with the attention we receive from social networks, and we want to get as much of it as possible. Some people who are struggling to impress real human beings are even prepared to use apps and services that can supposedly help them accumulate more followers and likes. But can these apps and services deliver?

Android users looking for more Instagram followers should be careful

The concept of downloading a mobile application that can automatically increase your following on one of the world's most popular social media platforms does sound a bit shady. Nevertheless, Android users who want to grow an Instagram community around their accounts are somewhat spoiled for choice when it comes to applications that promise to help them get more exposure and a better experience on the social network. What's more, dozens of these apps also appear on Google Play which gives them an air of legitimacy. Unfortunately, history has taught us that sneaking shady software on Android's official app store is not exactly impossible, and sure enough, according to researchers from Malwarebytes, at least three of the Instagram "helper" apps were designed with the sole intention of stealing people's passwords.

Iranian Instagrammers are targeted by a credential harvesting campaign

Malwarebytes' experts didn't specify how many people might be affected, but they did note that the attack appears to be aimed at Iranian Instagram users. Two of the applications, LikeBegir and Followkade, promised increased exposure on Instagram, and the third one, Aseman Security, told users that it's going to help them better protect their account on the photo-sharing network. The experts used Followkade to illustrate how the campaign works.

At first glance, there's very little to suggest that something's off. There is nothing of particular interest during the installation, and the specialists didn't say anything about additional permissions requested by the app.

As soon as you launch it, it does present a login page and asks you to enter your Instagram credentials, but considering Followkade's alleged capabilities, this is not unexpected behavior. Furthermore, when they looked at its Google Play page, Followkade had quite a lot of reviews, more than 50 thousand downloads, and an average rating of about four stars which suggested that people were actively using and enjoying the application.

When they examined it with a network scanner, however, the security specialists saw that in addition to logging users into their accounts, Followkade, LikeBegir, and Aseman Security were also sending their usernames and passwords (in plain text, no less) to a third-party server. Google was informed about the operation, and the apps were quickly taken down from the Play store.

It's still unknown whether the stolen credentials have already been used to compromise accounts, but you can be pretty sure that if you have inadvertently given your password to the crooks, they are bound to exploit it sooner or later. Changing it is essential, and it's just as important to make sure that two-factor authentication is turned on.

You should also bear in mind that although the researchers uncovered just three apps that can steal your Instagram login credentials, there could be many others like them, so treading carefully is your best bet. In fact, if you really want to get more Instagram followers and likes, you might want to consider doing it the old-fashioned way – by sharing things that people actually like.

April 16, 2019