InstaAgent was a popular app in Canada and the United Kingdom but available around the world. As many as 500,000 people downloaded the fishy app. They should immediately change their Instagram password — and any other place they use that password.
This is the latest proof that nasty stuff still sneaks into Apple's app store, even though the company tightly guards it.
Apple (AAPL, Tech30) didn't return calls from CNNMoney.
People downloaded InstaAgent, because it promised a feature that Instagram doesn't provide its customers: finding out who takes a peek at your profile.
"These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user's accounts in an inappropriate way," Instagram warned.
In some cases, the app took the liberty of posting images to a person's Instagram account, including advertisements for others to download InstaAgent.
This episode was uncovered by David Layer-Reiss, a 16-year-old in Germany who independently creates iPhone apps in his spare time. He spoke to CNNMoney about how he discovered this.
On Monday, he downloaded InstaAgent and examined what information it was sending out of his phone. The code revealed that InstaAgent was transmitting his username and password in plain text to a mysterious computer server.
That server belongs to ZunaMedia.com — but it's unclear who owns that site. The listed iOS developer who created InstaAgent is Turker Bayram. CNNMoney could not locate any software developers by that name.
Layer-Reiss, the 10th grader who exposed this, said he worries that half a million people could get their email and bank accounts hijacked if they keep the same username and password elsewhere.