Instagram Certificate Thief: Free Follower or Free Choice

Author Dexter Shin

Instagram has become a platform with over one billion monthly active users. Many Instagram users want to increase the number of their followers, as it has become a symbol of a person’s popularity. The huge user base of Instagram has not caught the eye of cyber criminals. McAfee’s mobile research team recently discovered new Android malware in disguise in an app to increase Instagram followers.

How can you increase your followers or likes?

You can easily find apps on the internet that increase the number of Instagram followers. Some of these apps require both a user account and a password In other types of apps, users only need to input their user account. But are these apps safe to use?

Figure 1. Suspicious app in Google Images

Many YouTubers have tutorial videos explaining how to use these apps. They log in to the app with their own account and show that the number of followers is increasing. In many videos, the repeatedly displayed domain was identified.

The way domains are introduced is very simple.

Log in with user account and password.
Check the credentials via the Instagram API.
After logging in, users can enjoy many features provided by the app. (Free followers, free likes, unlimited comments, etc.)
In the case of free followers, the user needs to input how many followers they want to get.

Figure 2. A screenshot to increase the number of followers by 20 followers

When you run the function, you will see that the number of followers has increaseds Every few seconds.

Figure 3. New follower notifications will be displayed in the feed

How does this malware spread?

Some telegram channels are promoting YouTube videos with domain links to malware.

Figure 4. The message is being transmitted by telegram

We’ve watched over 190,000 videos from a famous YouTuber Customers are promoting A Malicious app. However, in the video, we find some comments related to people saying that their credentials are being stolen.

Figure 5. Many people complain that their Instagram accounts are being compromised

Behavior analysis in malware

We analyze the applications that are being promoted by the domain. Hidden malware does not require much permission and therefore does not appear to be harmful. When users launch the app, they will only see the following website via Android Webview.

Figure 6. Redirect to malicious websites via Android Webview

After inspecting the app, we noticed that the initial code does not have many features. After showing an ad, it will immediately show the harmful website. Malicious activities take place in the backend of the website, not in the Android app.

Figure 7. Simple 2 lines of initial code

The website states that your transactions are made using the Instagram API system with your username and password. This is secure because they use the user’s credentials through Instagram’s official server, not their remote server.

Contrary to many people’s expectations, a few minutes after using the app, we received an unusual login attempt from Turkey. The device logged into the account was not an Instagram server but a personal device model from Huawei as LON-L29.

Figure 8. Unusual login attempt notification

As shown above, they do not use an Instagram API. In addition, the number of followers increases as you request more followers. In other words, the credentials you provide are used to increase the number of followers of other solicitors. Everyone who uses this app has a relationship with each other. Moreover, they will store and use your credentials in their database without your consent.

How many users are affected?

The languages of most communication channels were English, Portuguese and Hindi. In particular, Hindi was the most common, and most videos had over 100 views In the case of a famous YouTuber’s video, they recorded over 2,400 views. In addition, our test account had 400 followers in one day. This means that at least 400 users have sent certificates to the malware author.

Conclusion

As we mentioned in the opening comments, many Instagram users want to increase their followers and likes. Unfortunately, attackers are also aware of the will of these users and use it to attack them.

Therefore, users who want to install these apps should consider that their credentials may be leaked. Also, there may be minor attacks such as certificate stuffing (= using a stolen username and password pair on another website). In addition to the above events, there are many unrecognized similar apps on the Internet You should not use suspicious app to get followers and likes.

McAfee Mobile Security identifies this threat as Android / InstaStealer and protects you from this malware. For more information, go McAfee Mobile Security.