Fake Instagram Apps on Google Play Harvest User Logins | Threatpost

Three apps on Google Play claiming to help Instagram users amass followers have been found stealing usernames and passwords for the social photo service.
The fake apps were uncovered by Malwarebytes, and are still available, according to Nathan Collier, a security researcher with the firm.
“As the psychology of social media reveals how addicting it can be to receive likes and even better, followers, on platforms such as Instagram, users often look for shortcuts or other ways to game the system in order to get that rush of dopamine,” Collier said in a Friday analysis . “Apps that claim to boost your likes and increase your followers are an attractive notion, especially when building a thriving Instagram account organically can take months or even years. Malware authors are great opportunists, and there is certainly a lot of opportunity to exploit when it comes to creating account-stealing fake apps.”
He said that three apps, called Followkade, LikeBegir and Aseman Security, specifically target Iranian users.
After install, the apps open a page asking for Instagram credentials; they legitimately log the user into Instagram – but also send the credentials to a malicious, attacker-controlled website – something Collier uncovered by analyzing the traffic with a simple network scanner.
“There was some additional network traffic going on here,” he said.
Followkade offers to collect additional followers; and LikeBegir “claims it will increase likes, help users buy cheap coins and provide daily gifts,” Collier said. “Aseman Security, ironically, boasts that it will boost security for your Instagram page and prevent it from being hacked.”
LikeBegir has a 4.8-star rating by 440,404 reviewers, Followkade for its part has 50,000+ installs, and rates an average four stars in reviews by 6,999 total respondents – meaning that Google Play browsers that try to determine the app’s legitimacy would have a hard time of it.
Some one-star reviews do offer a red flag: “The rubbish of the program I’ve used so far. Meanwhile, it also has a security problem keeping the password in its own site,” one LikeBegir reviewer said.
The apps remain up on the official store at the time of writing – Threatpost will update this article with any further information gleaned about Google taking down the apps. However, it’s worth noting that Google continues to crack down on rogue apps; it recently said that the number of app submissions that were rejected on the app marketplace increased by more than 55 percent in 2018.  The number of app suspensions on Google Play also jutted up by 66 percent in 2018.
While these particular apps are hyper-targeted regionally, they bring up the fact that social-media activity should be undertaken with caution – and that shortcuts are often a path to compromise.
“If you’re looking to boost your Instagram community, it’s a lot safer to do it the old-fashioned way: by creating quality content with well-edited, creative photos,” Collier said. “Take the time to write engaging captions with appropriate hashtags to attract others. And build your community by following and interacting with other top content creators you truly appreciate – not just using the follow for a follow model.”
Don’t miss our free Threatpost webinar , “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.