Instagram users fell for a bold (and very effective) scam called InstLike, an app that promised users free Likes and followers if they entered their username and password. The app developers promised in the login screen, “We don’t steal your account,” but by all reports, the app did exactly that.
The InstLike scam was first reported by Mashable on Tuesday using data the website received from Symantec. The the computer security company spotted the scam in October, but by then at least 100,000 Instagram users had already fallen for it.
InstLike was offered as a free app on the App Store and Google Play starting September 19 and June 9 respectively. After users signed up, the app would start Liking random photos and following random users. It also asked users to purchase virtual coins to earn more Like sand followers, according to Symantec.
Even though the app raised a giant red flag by asking for a person’s username and password instead of using the Instagram API, InstLike survived scrutiny from Apple and Google for months. But Symantec warned the companies of the scam when it was uncovered. It was removed from Google Play on October 25 and the App Store banned it on November 7.
Still, in the months it was used, the Instagram scam app harvested tens of thousands of usernames and passwords. However, Symantec considers its numbers “conservative,” meaning it’s possible way more than 100,000 users were affected. It certainly isn’t the first app to scam users for information and money, but Symantec security researcher Satnam Narang called its tactics innovative. He told Mashable, “It’s just very interesting to see what length people will go to in order to get Likes on their photos.”
While the InstLike app has been removed from Google Play and the App Store, the website, InstLike.com, is still usable. Symantic suggests deleting the InstLike app from your phone or tablet and changing your password immediately.