More than 100,000 Instagram users fell for a bold,
effective scam called InstLike, an app that promised free likes and followers
on the photo sharing platform. The app asked users to share their usernames and
passwords after downloading, turning them into willing participants of a giant
social botnet. After users signed up for the free app, InstLike would begin
liking random photos and following random users. It also asked users to buy
virtual coins to accrue more likes and followers, according to a new research
by security firm Symantec, shared exclusively with Mashable.
“We don’t steal your account,” the app developers promised
in the login screen. But InstLike did just that. Symantec estimates that at
least 100,000 users fell for the scam. The app was able to add Likes and
followers using those real accounts to feed the scam ecosystem. The more people
took the bait, the more followers and Likes it delivered.
Despite raising a giant red flag by directly asking for
login credentials instead of using the Instagram API, the app was very
successful and survived scrutiny from Apple and Google for months, according to
Symantec, which spotted the scam in late October. The Android app was created
on June 9, while its corresponding iOS app was released on September 19, per
app store analytics website App Annie.
After Symantec warned Apple and Google, the app was
removed from Google Play and the App Store on October 25 and November 7
respectively. But according to Symantec, it was downloaded and used by many
people collectively before then, harvesting a treasure trove of accounts into
its botnet. On October 5, InstLike hit its peak in the App Store, where it was
No. 22 under most downloaded “utility” apps and No. 571 overall, according to
App Annie.
In the Google Play store, InstLike had between 100,000 and
500,000 downloads before it was pulled, with more than 100,000 ratings across
app stores, per Symantec. These numbers led the firm to estimate that at least
100,000 users gave their passwords to InstLike, a figure Symantec considers
“conservative.” “People didn’t realize that they were being duped into giving
their login credentials to this app,” Satnam Narang, the security researcher at
Symantec who found out about InstLike, said in an interview with Mashable.
It also convinced people to pay for extra Likes and
followers. For almost an entire month, from October 8 until November 7, when it
was removed from the App Store, InstLike was either the No. 2 or the No. 1
highest-grossing app among utilities applications, and in the top 200 overall. This
is not the first app that has tried to scam social media users by promising
Likes and followers, but its tactics were fairly innovative, Narang explained.
Normally, this kind of scam apps ask for money upfront, but this app was free
and used real accounts, not fake ones.
Users perhaps were naive to give up their passwords, but
the app was sophisticated; it used a variety of ways to convince people to pay
for virtual coins and spread the app. Instagram sent Mashable the following
statement: “Posting automated content to Instagram clearly violates our Terms
of Use. We have a team dedicated to stopping abuse on the service and enforcing
our policies, including removing content that violates our terms.”
Although the apps have since been removed from Google Play
and the App Store, the app’s site,InstLike.com, is still operational. If you
downloaded the app and gave out your credentials, Symantec suggests changing
your password immediately, then deleting the app from your phone. Otherwise,
InstLike will continue to post from your account.
Source: Mashable.com
No comments:
Post a Comment