Anyone casting a casual glance over Instagram may see nothing but beautiful scenery, toned bodies and delicious food.
But a sneaky third-party app that promised users it would tell them who had been viewing their profile turned out to be a password-stealing ploy by hackers.
InstaAgent was available to download from both the Google Play Store and Apple’s App Store – although both have since pulled it down.
Once installed, it would steal the victim’s Instagram username and password, before uploading them unencrypted to a server.
According to Apple Insider, the app is popular in the UK and has been downloaded by roughly half a million users.
Instagram, like many social media services, doesn’t let you see who’s viewed your profile and any promise to do so should set alarm bells ringing.
InstaAgent was free to download and appeared high up in the app store charts for some time.
“These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user’s accounts in an inappropriate way,” an Instagram spokesperson told Mirror Online.
“We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password.”
It’s the latest in a series of cowardly hackers targeting popular apps to try and steal passwords or ruin smartphones.
Earlier this week, security experts Lookout uncovered malware that embeds itself inside apps like Facebook and Whatsapp.
Called either Shedun, Shuanet or ShiftyBug, it would root your smartphone and render it useless.