The app InstaAgent claimed to offer an appealing use case: the ability to see who views your Instagram profile.
It also may have been harvesting the passwords of thousands of Instagram users and posting photos to their accounts without their knowledge.
The potential malware in the app, which has been removed from Apple's App Store and the Google Play Store, was first discovered by a developer for the German app company Peppersoft.
By asking users to enter their Instagram logins, "Who Viewed Your Profile - InstaAgent" was collecting passwords tied to Instagram accounts and silently posting photos to comprised accounts in an effort to drive more downloads, Peppersoft's developer claimed in a series of tweets:
—David L-R (@PeppersoftDev) November 10, 2015
—David L-R (@PeppersoftDev) November 10, 2015
It's unclear exactly how many people downloaded InstaAgent, but according to the analytics firm App Annie, it did reach the top spot in the App Store's free chart in 15 countries, including the UK and Canada.
"These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user's accounts in an inappropriate way," an Instagram spokesperson told Tech Insider. "We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password."
It is unclear who made the InstaAgent app.
