Security researchers have discovered a number of malicious apps on the Google Play store that are designed to illicitly obtain a victim’s Instagram login information.
Posing as tools for acquiring more Instagram followers, the apps were actually designed to phish for passwords and usernames for Instagram accounts, allowing criminals to gain control of those accounts to promote spammy websites.
Security firm ESET reports that the dangerous apps – 13 in total – have been downloaded over 1.5 million times. They also report that since alerting Google of the discovery, all the apps have now been removed.
Users with Android phones are always advised to install apps from Google’s “trusted” Play Store and not from third party websites since Google vet apps to ensure they’re legitimate. However, this is another demonstration that Google’s Play store can’t be trusted completely.
The malicious apps all promised Android users they could boost their Instagram followers. When installed on a phone, the app would ask the user to enter their username and password into a login screen. However the login screen would then send that information to the developers of the malicious apps.
Remember to keep your mobile phones safe. Even if an app is on the Google Play store, it may not be safe. So remember to be cautious of suspicious sounding apps and be wary of apps with little or no user feedback.
Also consider enabling two factor authentication for your Instagram account. That way, even if the criminals do obtain your Instagram password, they would still need an additional layer of security to access your account, most commonly a PIN sent to your phone through SMS.