Cyber security firm ESET have discovered 13 new Instagram-credential-stealing apps that have been installed from the Google Play store by more than 1.5 million users worldwide.
ESET says the cybercriminals have been targeting Instagram users by luring them to install these apps, which claim to boost their Instagram followers.
Detected by ESET security products as Android/Spy.Inazigram, the applications harvest Instagram credentials and then send them to a remote server. To lure users into downloading them, the apps promise to rapidly increase the number of followers, likes and comments of a user's Instagram account.
Figure 1 – The malicious apps on Google Play
According to ESET, the 13 malicious applications were discovered on the official Google Play store. They appear to have originated in Turkey, but some used English localisation to target Instagram users worldwide. Altogether, the malicious apps have been installed by up to 1.5 million users. Upon ESET's notification, all 13 apps were removed from the store.
Apart from an opportunity to use compromised accounts for spreading spam and ads, there are also various “business models” in which the most valuable assets are followers, likes and comments. In their research, ESET analysts traced the servers to which the credentials were sent and connected these to websites selling various bundles of Instagram popularity boosters.
How does it work?
Once installed, each application had the same technique of stealing Instagram credentials from users and sending them to a remote server. Instagram followers, likes and comments are becoming highly sought after and profitable, so the apps lured users by promising them that they would rapidly increase the number of followers, likes and comments on their own Instagram account. Ironically, the compromised accounts were then used to raise follower counts of other users.
For one of these apps, “Instagram Followers”, the user needed to log in via an Instagram lookalike screen. The credentials entered were then sent to the attackers' server in plain text. After having entered the credentials, the user would find it impossible to log in, as explained in an “incorrect password” error screen.
Furthermore, the error screen featured a note suggesting the user visit Instagram's official website and verify their account in order to sign in to the third-party app. As the victims are notified about an unauthorised attempt to log in on their behalf and are prompted to verify their account as soon as they open the real Instagram app, the note aims to lower their suspicion in advance.
If the attackers are successful and the user doesn't recognise the threat upon seeing Instagram's notification, the stolen credentials can be put to further use.
Figure 2 – “Instagram Followers” promising to boost Instagram engagement
Figure 3 – Instagram login lookalike screen
Figure 4 – “Incorrect password” error preventing the user from logging in
Figure 5 – Official Instagram notification about unauthorized login attempt
How to know you've been infected and what to do
If you've downloaded one of these apps from Google Play, ESET says you will find it in your installed applications. You should also have seen a notice or email from Instagram saying someone is attempting to log into your account. Finally, your Instagram account will probably have gained an increased following and followers in a short amount of time and you'll probably be getting replies to comments you never wrote.
You'll need to uninstall all above mentioned apps in your application manager to clean your device. You can also let a mobile security solution remove the threats for you directly.
The next step is to secure your Instagram account. Make sure to change your Instagram password immediately and in case you're using the same password on other platforms, change these as soon as possible as well. Malware authors are known to test stolen credentials across other services so it's best practice to use a different password on each of your accounts.
“Social media apps like Instagram are very popular worldwide, and especially among the younger demographic,” says Nick FitzGerald, Senior Research Fellow at ESET
“Having a good following on Instagram can be important for some users, and many think the easiest and fastest way to do so is by buying them or looking for apps promising to maximize followers,” he explains.
“While these followers are fake accounts and this is not approved by Instagram's guidelines, users then expose themselves to a greater risk of having their credentials and wider personal information stolen,” says FitzGerald.
“As a general guideline, users should be protecting their social media accounts whether accessing them from desktop or mobile.There are a few golden rules to remember when installing apps and protecting an account,” he says.
“Firstly, if you are installing a third-party app, do not insert your sensitive information into untrusted login forms. Secondly, do a quick check on the app popularity, ratings and reviews. Not all reviews can't be trusted so if it looks dodgy, it probably is. Thirdly, enable two-factor authentication for stronger protection to your account and do not use the same password for all accounts.
“And finally, use a reputable mobile security solution to protect your device,” adds FitzGerald.
Figure: How the credential stealing works
Figure 6 – Websites selling Instagram followers