free followers and likes. This is what
tens of thousands of Instagram users
thought was happening.
More than 100,000 Instagram users fell
for a bold, effective scam called
InstLike, an app that promised free likes
and followers on the photo sharing
platform. The app asked users to share
their usernames and passwords after
downloading, turning them into willing
participants of a giant social botnet.
After users signed up for the free app,
InstLike would begin liking random
photos and following random users. It
also asked users to buy virtual coins to
accrue more likes and followers,
according to a new research by security
firm Symantec, shared exclusively with
Mashable.
"We don't steal your account," the app
developers promised in the login
screen. But InstLike did just that.
Symantec estimates that at least
100,000 users fell for the scam. The app
was able to add Likes and followers
using those real accounts to feed the
scam ecosystem. The more people took
the bait, the more followers and Likes it
delivered.
Despite raising a giant red flag by
directly asking for login credentials
instead of using the Instagram API, the
app was very successful and survived
scrutiny from Apple and Google for
months, according to Symantec, which
spotted the scam in late October.
The Android app was created on June 9,
while its corresponding iOS app was
released on September 19, per app
store analytics website App Annie.
After Symantec warned Apple and
Google, the app was removed from
Google Play and the App Store on
October 25 and November 7
respectively.
But according to Symantec, it was
downloaded and used by many people
collectively before then, harvesting a
treasure trove of accounts into its
botnet.
On October 5, InstLike hit its peak in
the App Store, where it was No. 22
under most downloaded "utility" apps
and No. 571 overall, according to App
Annie.
In the Google Play store, InstLike had
between 100,000 and 500,000
downloads before it was pulled, with
more than 100,000 ratings across app
stores, per Symantec. These numbers
led the firm to estimate that at least
100,000 users gave their passwords to
InstLike, a figure Symantec considers
"conservative."
"People didn't realize that they were
being duped into giving their login
credentials to this app," Satnam Narang,
the security researcher at Symantec
who found out about InstLike, said in an
interview with Mashable.
It also convinced people to pay for extra
Likes and followers. For almost an
entire month, from October 8 until
November 7, when it was removed from
the App Store, InstLike was either the
No. 2 or the No. 1 highest-grossing app
among utilities applications, and in the
top 200 overall.
This is not the first app that has tried to
scam social media users by promising
Likes and followers, but its tactics were
fairly innovative, Narang explained.
Normally, this kind of scam apps ask for
money upfront, but this app was free
and used real accounts, not fake ones.
Users perhaps were naive to give up
their passwords, but the app was
sophisticated; it used a variety of ways
to convince people to pay for virtual
coins and spread the app.
Instagram sent Mashable the following
statement: "Posting automated content
to Instagram clearly violates our Terms
of Use. We have a team dedicated to
stopping abuse on the service and
enforcing our policies, including
removing content that violates our
terms."
Although the apps have since been
removed from Google Play and the App
Store, the app's site,InstLike.com, is still
operational. If you downloaded the app
and gave out your credentials, Symantec
suggests changing your password
immediately, then deleting the app
from your phone. Otherwise, InstLike
will continue to post from your account.
Source: Mashable.com
0 100000:
Post a Comment