Security researchers have discovered 13 new Instagram credential-stealing apps on Google Play.
The malicious apps, which pose as tools for either managing or boosting Instagram follower numbers, are actually designed to phish for Instagram credentials. The stolen credentials allow hackers to abuse compromised accounts in order to distribute spam and ads, enriching crooks in the process.
Altogether the malicious apps have been installed by up to 1.5 million users, software security firm ESET reports.
Upon ESET’s notification, all 13 apps were removed from the store.
The dodgy apps typically trick marks into installing them by promising to increase the number of followers, likes and comments tied to an Instagram account.
Victims were induced to hand over their credentials via an Instagram lookalike screen, which was then sent to the attackers’ server in plain text.
While the apps appear to have originated in Turkey, some used English localisation to target Instagram users worldwide.
ESET has added detection for the nasties, which it collectively identifies as Android/Spy.Inazigram. More details of the threat can be found in a blog post by ESET here.
Although phishing and malware threats targeting either Facebook or Twitter users are more common, Instagram fans are by no means strangers to threats. For example, crooks have put together a smut-themed scam campaign targeting Instagram users last August. The ruse was designed to pull in traffic to X-rated and adult hookup sites. ®