November 17, 2015

InstaAgent: What It Is and What You Can Do About It

Person holding smartphone with Instagram login on display.
Platform(s) Affected
Platform(s) Affected
Entry Type
Threat Summary
Threat Type
Platform(s) Affected
Threat Summary

Recently, news broke about a concerning app called InstaAgent. The app connects to the victim’s Instagram account and sends the user’s login credentials unencrypted to its servers. Here’s what we know about the threat.

What is it?

InstaAgent, found by researcher Peppersoft, promised Instagram users that it would show them who viewed their profiles, but instead, it sent the person’s Instagram login credentials in plain text, or unencrypted, back to its servers. The app was available in both the Google Play Store as well as the Apple App Store and may have been downloaded over 500,000 times. “Plain text” transmission is concerning as someone eavesdropping on the app’s communications to its serves could theoretically see the passwords while they are in transit.

Instagram itself was not breached, however individuals’ Instagram accounts could be breached if someone found and used these passwords.

How bad is it?

We believe people should be aware of the threat and remove the app from their device.

One of the biggest problems with leaked credentials is that many people share their passwords across accounts. Oftentimes, when these credentials fall in the wrong hands, that bad actor checks those credentials across a myriad of websites to see what she can access. You want to ensure that you have different and complex passwords for any sensitive accounts.

Am I protected?

Lookout users, including both individuals and enterprises, are protected and will be alerted if InstaAgent is present on their device.

Individual Lookout users running Android or iOS 8 and below are fully protected. However, due to limitations in iOS 9, Lookout is not able to alert those individuals of this threat.

Enterprises using Lookout Mobile Threat Protection are fully protected across iOS and Android and will be alerted if InstaAgent is present on employee devices.

What else should I do?

If you have InstaAgent, look for the icon on your device.

Delete the application and immediately change your Instagram password. If you used your Instagram password across multiple accounts, you should change those passwords immediately as well.

In general, you should always do thorough research on any third-parties before allowing them access to your personal accounts. Reading developer reviews is a good place to start.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats


September 19, 2023


Google released a patch for a new zero-day vulnerability in Chrome tracked as CVE-2023-4863, which CISA also listed in their database.

September 18, 2023

ASPL 2023-09-01 / CVE-2023-35674

September 20, 2023

Deblind Analyzed: Lookout Identifies and Dissects Android App Used by Russian Sandworm APT's Infamous Chisel Spyware Tooling