A third-party Instagram app designed to steal passwords was briefly the most downloaded app on the Apple App Store before it was removed.
Google was first to remove the app before Apple quickly followed suit. Before the tech giants could act the app had already become the top-grossing app in Apple’s App Store and had been downloaded over 500,000 times from Google Play, writes Liam Tung for ZD Net.
Developer uses Twitter to raise the alarm
An iOS developer known as David L-R was the first to notify the companies about the app, called “Who Viewed Your Profile – InstaAgent.” He took to Twitter to detail how the app was storing Instagram logins and sending them to a remote server.
According to MacRumors InstaAgent became the top free app in the UK and Canada, but was less of a hit in the U.S. While 500,000 downloads were logged from Google Play, Apple does not release download numbers from its App Store. David L-R claims that the number would be vaguely similar on both stores.
The app claimed to be able to show who were the top 100 viewers of your Instagram profile, and would charge over $10 through in-app purposes for the promised capability. This is far from the first time that a malicious app has been brought to the attention of Google and Apple.
App store security a worry for Apple and Google
Google has in fact been criticized for an app review process that many claim is less strict than Apple’s. This time around both tech companies failed to flag the app until many people had installed it and potentially paid money for a non-existent service.
Apple also came in for criticism after dozens of apps in the China app store were found to contain XCodeGhost malware. In this latest case it seems likely that neither company will pay the developer for the downloads that the malicious app received.
Google outlaws malicious scripts in its terms of service, and says “developers must not mislead users about the apps they are selling nor about any in-app services, goods, content or functionality they are selling”. Apple did not comment on the latest case but it is company policy to offer EU customers a 14-day refund period.
There is still hope that affected users will be reimbursed for their purchases.