Fake Instagram assistance apps found on Google Play are stealing passwords

Credit to Author: Nathan Collier| Date: Fri, 12 Apr 2019 17:40:55 +0000

We all want those Instagram likes and followers. Many apps on Google Play claim they can assist you with that effort. But what if the app that’s supposed to be helping you is also stealing your username and password? 

As a matter of fact, that’s exactly what we found in three fake Instagram assistance apps still available on Google Play at the time of this writing. Moreover, these fake apps are targeting Iranian users. Malwarebytes already detects the malicious apps as Android/Trojan.Spy.FakeInsta.

What’s in a like?

As the psychology of social media reveals how addicting it can be to receive likes and even better, followers, on platforms such as Instagram, users often look for shortcuts or other ways to game the system in order to get that rush of dopamine. 

That’s where Instagram assistance apps come into play—Google Play, that is! Apps that claim to boost your likes and increase your followers are an attractive notion, especially when building a thriving Instagram account organically can take months or even years. Malware authors are great opportunists, and there is certainly a lot of opportunity to exploit when it comes to creating account-stealing fake apps.

InstaStolen account

Let’s use an app named Followkade as a case study of this new-found Instagram credential stealer.

App Name: Followkade

Package Name: com.followkade.insta

Installs: 50,000+

Reviews: 4.0 out of 6,999 total respondents

As you can see, it’s a highly-rated app with thousands of downloads and reviews. Customers on Google Play looking to determine the app’s legitimacy would be none-the-wiser.

After install, the app opens to a splash page, and then a page asking for Instagram credentials.

I used the following to log in:

Username: test_username

Password: test_password

After opening a network scanner, I pressed Login. Along with normal login traffic to Instagram, there was some additional network traffic going on here. Take a look at the screenshots below with proof of the stolen credentials.

There it is in plain text: my test username and password being sent to a known malicious website.

Insta targets

There are many apps that pose as so-called helpers piggybacking off the social media craze. Some of them are legitimate apps that might be able to help users boost likes and followers as advertised. However, malware authors can too easily mimic the above board apps, and they bank on users’ desire to find fast validation through social media acceptance.  

The other two apps that we found, LikeBegir and Aseman Security, also target Iranian users, as does Followkade. LikeBegir claims it will increase likes, help users buy cheap coins, and provide daily gifts. Aseman Security, ironically, boasts that it will boost security for your Instagram page and prevent it from being hacked.

I would imagine there aren’t a lot of Iranian Instagram assistance apps on Google Play, so it’s an easy target for malware authors of that region. In these cases, picking a highly-rated and installed app isn’t much help to be safe.

Acknowledgement and tips

Many thanks to Malwarebytes Forum patron AmirGooran for tipping us off about the fake apps. 

If you’re looking to boost your Instagram community, it’s a lot safer to do it the old-fashioned way: by creating quality content with well-edited, creative photos. Take the time to write engaging captions with appropriate hashtags to attract others. And build your community by following and interacting with other top content creators you truly appreciate—not just using the follow for a follow model.

And if you’re interested in securing your Instagram account, once again, the old-fashioned ways win out. Be sure to use strong password credentials, which means long passwords that don’t have easily guessable information such as birthdays or family names, and nothing that has been used for another account. We typically recommend folks use a password manager so they needn’t worry about remembering 27 different passwords. In addition, avoid using the Insta Messages function for communicating any confidential, important information, because it has no end-to-end encryption option whatsoever.

Read more: How do I secure my social media profile?

Like anything in life, building a respectable social media following takes work. Avoid the shortcuts: Not only do they fail at doing the things they promise—they may also take away much more than you would receive. After all, are fake likes really worth getting your personal information stolen? Stay safe out there!

The post Fake Instagram assistance apps found on Google Play are stealing passwords appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/