Insert your username and password, get
free followers and likes. This is what tens of thousands of Instagram
users thought was happening.
More than 100,000 Instagram users fell
for a bold, effective scam called InstLike, an app that promised free
likes and followers on the photo sharing platform. The app asked users
to share their usernames and passwords after downloading, turning them
into willing participants of a giant social botnet.
Continue reading after the cut....
After users signed up for the free app,
InstLike would begin liking random photos and following random users. It
also asked users to buy virtual coins to accrue more likes and
followers, according to a new research by security firm Symantec, shared
exclusively with Mashable.
“We don’t steal your account,” the app
developers promised in the login screen. But InstLike did just that.
Symantec estimates that at least 100,000 users fell for the scam. The
app was able to add Likes and followers using those real accounts to
feed the scam ecosystem. The more people took the bait, the more
followers and Likes it delivered.
Despite raising a giant red flag by
directly asking for login credentials instead of using the Instagram
API, the app was very successful and survived scrutiny from Apple and
Google for months, according to Symantec, which spotted the scam in late
October.
The Android app was created on June 9,
while its corresponding iOS app was released on September 19, per app
store analytics website App Annie.
After Symantec warned Apple and Google,
the app was removed from Google Play and the App Store on October 25 and
November 7 respectively.
But according to Symantec, it was
downloaded and used by many people collectively before then, harvesting a
treasure trove of accounts into its botnet.
On October 5, InstLike hit its peak in
the App Store, where it was No. 22 under most downloaded “utility” apps
and No. 571 overall, according to App Annie.
In the Google Play store, InstLike had
between 100,000 and 500,000 downloads before it was pulled, with more
than 100,000 ratings across app stores, per Symantec. These numbers led
the firm to estimate that at least 100,000 users gave their passwords to
InstLike, a figure Symantec considers “conservative.”
“People didn’t realize that they were
being duped into giving their login credentials to this app,” Satnam
Narang, the security researcher at Symantec who found out about
InstLike, said in an interview with Mashable.
It also convinced people to pay for extra
Likes and followers. For almost an entire month, from October 8 until
November 7, when it was removed from the App Store, InstLike was either
the No. 2 or the No. 1 highest-grossing app among utilities
applications, and in the top 200 overall.
This is not the first app that has tried
to scam social media users by promising Likes and followers, but its
tactics were fairly innovative, Narang explained. Normally, this kind of
scam apps ask for money upfront, but this app was free and used real
accounts, not fake ones.
Users perhaps were naive to give up their
passwords, but the app was sophisticated; it used a variety of ways to
convince people to pay for virtual coins and spread the app.
Instagram sent Mashable the following
statement: “Posting automated content to Instagram clearly violates our
Terms of Use. We have a team dedicated to stopping abuse on the service
and enforcing our policies, including removing content that violates our
terms.”
Although the apps have since been removed
from Google Play and the App Store, the app’s site,InstLike.com, is
still operational. If you downloaded the app and gave out your
credentials, Symantec suggests changing your password immediately, then
deleting the app from your phone. Otherwise, InstLike will continue to
post from your account.
-Mashable
Share your thoughts....thanks!
No comments:
Post a Comment