14 March 2017

Google Play apps may not be what they seem

Source: ESET. Rogue apps.
Source: ESET. Rogue apps.
Researchers at ESET, a global player in proactive cybersecurity, have discovered 13 new Instagram credential stealers on the Google Play store. While they appear to have originated in Turkey, some apps used English localisation to target Instagram users worldwide. Altogether, the malicious apps have been installed by up to 1.5 million users.

According to ESET, the new credential-stealing apps appeared on the official Google Play store as tools for either managing or boosting the number of Instagram followers. To lure users into downloading, the apps promised to rapidly increase the number of followers, likes and comments on one's Instagram account. Detected under the name Android/Spy.Inazigram, the malicious applications were phishing for Instagram credentials and sending them to a remote server. The compromised accounts can be used to spread spam, ads, and raise follower counts of other users.

For example, one of the apps named Instagram Followers requires the user to log in via an Instagram lookalike screen. The credentials entered into the form are then sent to the attackers' server in plain text. After having entered the credentials, the user will find it impossible to log in, as explained in an "incorrect password" error screen.

The error screen also features a note suggesting the user visits Instagram's official website and verifies their account in order to sign in to the third-party app. As the victims are notified about unauthorised attempt to log in on their behalf and prompted to verify their account as soon as they open Instagram, the note aims to lower their suspicion in advance.

According to ESET, victims can tell if their accounts have been compromised if they see an unfamiliar icon under their installed applications. They will also have seen a notice from Instagram about someone attempting to log into their accounts. Finally, their Instagram accounts might appear to have increased following and follower numbers, and experience replies to comments that they have never posted.

ESET suggests that victims uninstall the unfamiliar apps or use a reliable mobile security solution to remove the threats. They should also change your Instagram password immediately, as well as wherever the same password is used. ESET recommends using a different password on each of their accounts. 

ESET also advises users to use a mobile security solution, and stick to popular apps marked as Top Developer or found in the Editor's Choice category. While developers may appear popular going by the number of installs, ratings and the content of reviews, ratings and reviews are not always reliable.

Upon ESET's notification, all 13 apps have been removed from the store.