A popular but malicious fake Instagram “who viewed your profile” app has been pulled from both Apple's App Store and Google Play – but not until after between 500,000 and a million suckers downloaded it.
“Who Viewed Your Profile – InstaAgent” exploited peoples' insecurity (it's also a popular way for Twitter scam accounts to draw in the clicks) to get them to install an app that harvested user credentials, posted them to a remote server, and hijacked accounts to post unauthorised images to victims' profiles.
German iOS developer David Layer-Reiss, who goes by the Twitter handle @PeppersoftDev, discovered the hijack.
Both Apple and Google have to be marked down for letting the app past their code review processes in the first place.
United Press International says the Android version got at least 100,000 downloads in spite of a 2.2 star rating. Other estimates give the possible Android download rate at close to the App Store's half-a-million.
I would say "Who Viewed Your Profile - InstaAgent" is the first malware in the iOS Appstore that is downloaded half a million times.— David L-R (@PeppersoftDev) November 10, 2015
As a rule, El Reg would note, any third-party app promising to identify profile viewers on social media accounts should be treated as a scam. LinkedIn is a special case: there, its profile view reports is just a creepy feature. ®