InstaAgent Summary

[wpfib]

 

discovered InstaAgent two days ago in the top charts of the iOS AppStore. I was wondering how they could provide Informations that Instagram couldn’t or would not. I’ve downloaded the App, as expected the App was showing me some “strange” information about my “top” Instagram visitors. That was suspicious. So I analysed the app. I monitored the network traffic of the app. And I found a suspect HTTP post to an “unknown” server. The InstaAgent app sent this packet sent after the user authorised a Instagram “application” called “Profil Analizi” from the app.

This suspicious packet contained the Instagram username and password and was sent to “instagram.zunamedia.com”:

csrfmiddlewaretoken=e18285ef0c51a816aca46858ad6bea53&username=x&password=x 


Another mentionable fact is that the InstaAgent developer used the subdomain instagram.zunamedia.com to sent the data that was EXACTLY the same data that has been sent to the official Instagram servers to his server. I think that he wanted to “hide” his malicious HTTP packet because at the first glance it looked like an “official” HTTP packet to the Instagram servers (but however this is only a presumption).

About 24h after I used the app an image (seld-adversting for InstaAgent) was published (WITHOUT my permission) to my Instagram account.

Today the developer said in an public statement (http://zunamedia.com) “Your password never saved unauthorized servers”, but I think this is wrong, because the Instagram “application” “Profil Analizi” has NO permission to publish photos to a Instagram account. (ACCESS YOUR BASIC INFORMATION ,Includes photos, friend lists & profile info ).
As far as I see it, it appears that in order to publish the ad image hours later, InstaAgent had to SAVE the Instagram log-in credentials to their servers to login later into your Instagram account to publish the ad image!

Another strange fact is that it is nearly impossible (for me) to identify the developer of InstaAgent (his AppStore dev name was Turker Bayram). And why didn’t the #InstaAgent developer sign his statement?.
And if you are making an WHOIS to the zunamedia.com server you can not get any informations because of domains proxy. Why is he hiding his identity? Who is Zunamedia ?

To sum, the behaviour of InstaAgent is very very strange, you should not use the app. Theoretical the app developer has now access (and the credential) to over half a million Instagram accounts.

12.11.15 18:01
[email protected]
That’s my assumption, all information without guarantee (;