Malicious App 'InstaAgent' Sends Instagram Passwords to Unknown Server, Posts Spam in Users' Feeds - MacRumors
Skip to Content

Malicious App 'InstaAgent' Sends Instagram Passwords to Unknown Server, Posts Spam in Users' Feeds

by

InstaAgent, an app that connects to Instagram and promises to track the people that have visited a user's Instagram account, appears to be storing the usernames and passwords of Instagram users, sending them to a suspicious remote server.

An app developer from Peppersoft downloaded InstaAgent -- full name "Who Viewed Your Profile - InstaAgent" -- and discovered it's reading Instagram account usernames and passwords, sending them via clear text to a remote server - instagram.zunamedia.com.

passwordzunemedia
InstaAgent is also using the credentials to log into accounts and post unauthorized images. Instagram does not permit third-party apps to upload photos to user accounts.

instagramunauthorizedposting
While InstaAgent isn't particularly popular in the United States, it is currently the number one free app in both the United Kingdom and Canada, with thousands of downloads that puts a huge number of Instagram users at risk of having their information stolen. In the Google Play store, the app had between 100k and 500k users, and the install numbers could be similar for iOS.

topapps
Google has removed the InstaAgent Android app from the Google Play store, but InstaAgent is still available in the iOS App Store for the time being. Anyone who has downloaded InstaAgent should delete the app immediately and change their Instagram password.

Passwords for other sites and accounts that were the same as the Instagram password should also be changed as a precaution. We also highly recommend a password management app like 1Password, which can generate unique complex passwords for each and every site or service. Instagram also advises against installing third-party apps that don't follow its Community Guidelines.

There are dozens if not hundreds of third-party apps that promise to provide Instagram users with followers and other perks, and these kind of apps should be avoided. According to Instagram, these apps are "likely an attempt to use your account in an inappropriate way" as InstaAgent does.

Update 3:20 p.m. Pacific Time: InstaAgent has now been removed from the iOS App Store.

Tags: InstaAgent, Instagram

Popular Stories

Instagram Feature 2

PSA: Instagram Encrypted Messaging Ends on Friday, May 8

Tuesday May 5, 2026 8:24 am PDT by
Instagram will remove end-to-end encryption for direct messages between users from May 8, 2026. When the date comes around, Meta will potentially be able to see the contents of all messages between users on the social media platform. Encrypting messages has been an optional feature in Instagram since 2023, but in March of this year the social media platform quietly updated a help page to say ...
Read Full Article54 comments
Instagram Feature 1

Warning: Instagram DMs Lose End-to-End Encryption Starting Today

Friday May 8, 2026 12:37 pm PDT by
As of today, end-to-end encryption for Instagram direct messages is no longer available. DMs that you send to people on Instagram will no longer feature full encryption, and your conversations are not protected from Meta. Meta can potentially see what's in messages shared between users on Instagram, and that information can be shared with law enforcement agencies worldwide. End-to-end...
Read Full Article53 comments
Apple Event Logo

Apple's Next Era Begins September 1

Thursday May 7, 2026 10:36 am PDT by
Apple recently announced that Tim Cook will be stepping down as CEO later this year, after 15 years of leading the company. Effective September 1, Apple's hardware engineering chief John Ternus will become the company's next CEO, while Cook will become executive chairman of Apple's board of directors. In his new role, Apple said Cook will assist with "certain aspects" of the company,...
Read Full Article

Top Rated Comments

gpsouza Avatar
gpsouza
137 months ago
We are getting lots of fake apps into the AppStore while lots of good apps are rejected because some silly thing that no one cares.
Score: 42 Votes (Like | Disagree)
B
BigHam
137 months ago
After they remove this crap, they should remove instagram while they're at it.
Score: 26 Votes (Like | Disagree)
Phil A. Avatar
Phil A.
137 months ago
While it's easy to victim blame people who have been caught out by this, it highlights a big issue with the curated App Store model: many people implicitly trust that any app that Apple has allowed onto the store will not be malicious and they will therefore do stupid things (such as providing their login details)

This is a massive breach of trust by Apple and they need to take the review process a hell of a lot more seriously than they appear to be doing

It's also ironic that Google have already killed this on their store, but it's still there on the iOS store!
Score: 17 Votes (Like | Disagree)
Caseynd Avatar
Caseynd
137 months ago
slipped it past the monitors eh? sounds like they need some better app approvers
Score: 16 Votes (Like | Disagree)
A
applerocks
137 months ago
How on earth did Apple approve this? Goodness. Wonder if they also posted the Facebook privacy message on their news feed, and sent money to recover their long-lost uncle in Africa.

Seems like the appropriate time for Apple to use the "kill switch" on iOS Apps and shut this thing down.
Score: 15 Votes (Like | Disagree)
sniffies Avatar
sniffies
137 months ago
After they remove this crap, they should remove instagram while they at it.
Why? What's wrong with Instagram? They should remove SnapChat and Yik Yak.
Why? What's wrong with Snapchat and Yik Yak? They should remove Grindr and Facebook.
Score: 13 Votes (Like | Disagree)
Read All Comments