Instagram users have recently been the target of new credential-stealing apps appearing on Google Play store. ESET explains how it was done and how to protect yourself.
Instagram users have been the target of several new credential stealing apps, appearing on Google Play as tools for either managing or boosting the number of Instagram followers.
Figure 1: The malicious apps on Google Play
Under the detection name Android/Spy.Inazigram, 13 malicious applications were discovered in the official Google Play store. The apps were phishing for Instagram credentials and sending them to a remote server.
While they appear to have originated in Turkey, some used English localization to target Instagram users worldwide. Altogether, the malicious apps have been installed by up to 1.5 million users. Upon ESET’s notification, all 13-apps were removed from the store.
How do they operate?
All the applications employed the same technique of harvesting Instagram credentials, and sending them to a remote server. To lure users into downloading, the apps promised to rapidly increase the number of followers, likes and comments on one’s Instagram account.
Ironically, the compromised accounts were used to raise follower counts of other users, as is explained later in the article.
Figure 2 – “Instagram followers” promising to boost Instagram engagement
As shown in the following screenshot from ESET’s analysis of one of these apps, “Instagram Followers”, it requires the user to log in via an Instagram lookalike screen. The credentials entered into the form are then sent to the attackers’ server in plain text. After having entered the credentials, the user will find it impossible to log in, as explained in an “incorrect password” error screen.
Figure 3 – Instagram login lookalike screen
Figure 4 – “Incorrect password” error preventing the user from logging in
The error screen also features a note suggesting the user visits Instagram’s official website and verifies their account in order to sign in to the third-party app. As the victims are notified about unauthorised attempt to log in on their behalf and promoted to verify their account as soon as they open Instagram, the note aims to lower their suspicion in advance.
Figure 5 – official Instagram notification about unauthorized login attempt
If the attackers are successful and the user doesn’t recognise the threat upon seeing their Instagram’s notification, the stolen credentials can be put to further use.
What happens to stolen credentials?
You might ask yourself: What use is there for a couple of (hundred thousand) stolen Instagram credentials.
Apart from an opportunity to use compromised accounts for spreading spam and ads, there are also various “business models” in which the most valuable assets are followers, likes and comments.
In ESET’s research, we’ve traced the servers to which the credentials are sent off and connected these to websites selling various bundles of Insatgram popularity boosters.
Figure 6 – websites selling Instagram followers
The following scheme explains how this works:
How to protect yourself?
If you have downloaded one of these apps, you will find one of its icons under your installed applications. You will also have seen a notice from Instagram about someone attempting to log into your account, as shown in Fig 4. Finally, your Instagram account might appear to have increased following and follower numbers, or you might be getting replies to comments you never posted.
In order to clean your device, uninstall the above mentioned apps found in your Application Manager or use a reliable mobile security solution to remove the threats for you.
To secure your Instagram account, change your Instagram password immediately. In case you use the same password across multiple platforms, change these as well. As malware authors are known to access other web services using the stolen credentials, you are advised to use a different password on each of your accounts.
To prevent getting your social media accounts compromised, there are a couple of things to keep in mind when downloading third-party apps from Google Play:
Do not insert your sensitive information into untrusted login forms of third-party apps. To verify whether an app is to be trusted, check the popularity of its developer by number of installs, ratings and, most importantly, content of reviews.
However, don’t be too quick to jump to conclusions, as many of the ratings and reviews can’t be trusted. When in doubt, opt for high-quality apps marked as Top Developer or found in the Editor’s Choice category.
Last but not least, use a reputable mobile security solution to protect your device.
Low-cost wireless sport earphones get a kickstart
Wireless earphone brands are common, but not crowdfunded brands. BRYAN TURNER takes the K Sport Wireless for a run.
As wireless technology becomes better, Bluetooth earphones have become popular in the consumer market. KuaiFit aspires to make them even more accessible to more people through a cheaper, quality product, by selling the K Sport Wireless Earphones directly from its Kickstarter page
KuaiFit has an app by the same name which offers voice-guided personal training services in almost every type of exercise, from cardio to weight-lifting. A vast range of connectivity to third-party sensors is available, like heart rate sensors and GPS devices, which work well with guided coaching.
The app starts off with selecting a fitness level: beginner, intermediate and advanced. Thereafter, one has the ability to connect with real personal trainers via a subscription to its paid service. The subscription comes free for 6 months with the earphones, and R30 per month thereafter.
The box includes a manual, a USB to two USB Type B connectors, different sized soft plastic eartips and the two earphone units. Each earphone is wireless and connects to the other independently of wires. This puts the K Sport Wireless in the realm of the Apple Earpods in terms of connection style.
The earphones are just over 2cm wide and 2cm high. The set is black with a light blue KuaiFit logo on the earphone’s button.
The button functions as an on/off switch when long-pressed and a play/pause button when quick-pressed. The dual-button set-up is convenient in everyday use, allowing for playback control depending on which hand is free. Two connectivity modes are available, single earphone mode or dual earphone mode. The dual earphone mode intelligently connects the second earphone and syncs stereo audio a few seconds after powering on.
In terms of connectivity, the earphones are Bluetooth 4.1 with a massive 10-meter range, provided there are no obstacles between the device and the earphones. While it’s not Bluetooth 5, it still falls into the Bluetooth Low Energy connection category, meaning that the smartphone’s battery won’t be drastically affected by a consistent connection to the earphones. The batteries within the earphones aren’t specifically listed but last anywhere between 3 and 6 hours, depending on the mode.
Audio quality is surprisingly good for earphones at this price point. The headset style is restricted to in-ear due to its small design and probable usage in movement-intensive activities. As a result, one has to be very careful how one puts these earphones, in because bass has the potential of getting reduced from an incorrect in-ear placement. In-ear earphones are usually notorious for ear discomfort and suction pain after extended usage. These earphones are one of the very few in this price range that are comfortable and don’t cause discomfort. The good quality of the soft plastic ear tip is definitely a factor in the high level of comfort of the in-ear earphone experience.
Overall, the K Sport Wireless earphones are great considering the sound quality and the low price: US$30 on Kickstarter.
Find them on Kickstarter here.
Taxify enters Google Maps
A recent update to Taxify now uses Google Maps which allows users to identify their drivers, find public transport and search for billing options.
People planning their travel routes using Google Maps will now see a Taxify icon in the app, in addition to the familiar car, public transport, walking and billing options.
Taxify started operating in South Africa in 2016 and as of October 2018 operates in seven South African cities – Johannesburg, Ekurhuleni, Tshwane, Cape Town, Durban, Port Elizabeth and Polokwane.
Once riders have searched for their destination and asked the app for directions, Google Maps shares the proximity of cars on the Taxify platform, as well as an estimated fare for the trip.
If users see that taking the Taxify option is their best bet, they can simply tap on the ‘Open app’ icon, to complete the process of booking the ride. Customers without the app on their device will be prompted to install Taxify first.
This integration makes it possible for users to evaluate which of the private, public or e-hailing modes of transport are most time-efficient and cost-effective.
“This integration with Google Maps makes it so much easier for users to choose the best way to move around their city,” says Gareth Taylor, Taxify’s country manager for South Africa. “They’ll have quick comparisons between estimated arrival times for the different modes of transport, as well as fares they can expect to pay, which will help save both time and money,” he added.
Taxify rides in Google Maps are rolling out globally today and will be available in more than 15 countries, with South Africa being one of the first countries to benefit from this convenient service.