ESET researchers have discovered 13 new Instagram credential-stealing apps on Google Play, recently also looking into the motivations behind the fraudulent schemes.
The research body found that each of the apps highlighted were being used to purposely lure users into downloading them, under the unrealistic promise of rapidly increase the number of followers, likes and comments on their Instagram account.
“Ironically, the compromised accounts were used to raise follower counts of other users,” ESET says following its investigation into the collection of apps that, it reveals, were eventually installed by up to 1.5 million users.
The apps -which have all since been pulled from the store, you’ll be glad to hear- specifically required the user to login to the photo and video-sharing service via an “Instagram lookalike screen,” ESET notes, as it claims that the credentials then entered into this bogus login form were “sent to the attackers’ server in plain text.”
These stolen credentials can be used to “compromise accounts and spread spam and ads,” it says, as well as various other “business models” in which the most valuable assets are followers, likes and comments.
You can learn more about the spread of apps that operated in this behaviour, and how the whole scam worked, over at welivesecurity.com.
To further prevent the possibility of someone breaking into your Instagram account, you may wish to consider activating two-factor authentication which can be achieved by first heading to your profile tab within the official Instagram app, then tapping the settings icon (top right), and selecting ‘Two-Factor Authentication’.
Instagram will then request your phone number in order to send you a unique code that will be forever after be required to login to the account in question, until the setting is deactivated.