SecureMac Notifies Apple of Password-Stealing Trojan Horses in the App Store

Share Article

A pair of Trojan horses have been shut down after wreaking havoc with some users' Instagram accounts

SecureMac, one of the key contributors to the Mac security world, today reports that a pair of password-stealing Trojan horses in the App Store that wreaked havoc with some users' Instagram accounts have been shut down by Apple. Consumers who downloaded InstaCare – Who cares with me? or the similarly-named, Who Cares With Me – InstaDetector, are strongly encouraged to double-check the security of their Instagram accounts.

The Trojan horses, which were distributed in the Google Play Store as well, enticed Instagram users with the lure of seeing who viewed their profile. Once installed, the malicious apps stole login credentials for Instagram, sending the username and password to a server controlled by the malware author. From there, the infected Instagram accounts were hacked and used to post spam messages on the user’s feed.

Malware that makes it past Apple’s stringent review process and into the App Store is a rarity in and of itself, but a few key things made these new Trojan horses even more notable. Apple has the ability to revoke a developer’s code signing certificate, which is required for an app to run on an iPhone or iPad, and can quickly stop the spread of malware.

Eagle-eyed iOS developer David Layer-Reiss from Peppersoft, a small German-based software development studio, first spotted the pair of Trojans. Layer-Reiss, who had an eye on the malware author ever since discovering his first malware attempt last fall, has an in-depth analysis of the threats on his site. Additional technical analysis can be found at the SecureList blog.

The Trojans Are No Longer Live in the App Store

The fact that the malware remained live in the App Store for an extended period, despite many users leaving 1-star reviews and complaining about being hacked, is abnormal. Historically, Apple is very quick to remove malicious apps from the App Store, but these two Trojans infected a huge number of users for over six weeks. During this time period, the app had continued to rank high in the charts across the board, and was the #1 app in the entertainment category for Great Britain, and in the top 10 apps overall.

Prior to its removal from the Google Play Store, one of the Trojans was listed as having between 100,000 and 500,000 installs, and it is likely that a large number of iOS users have been infected, as well.

New Language, New Malware

The iOS variant of this malware was written in Apple’s new Swift programming language. Apps written in Swift, which Apple is touting as the future of app development for iOS, have been allowed in the App Store since September. While there are no technical hurdles when it comes to writing malware in Swift, this appears to be the first known example of Swift-based malware found in the wild. This shows that the bad guys are also keeping up with the latest technologies promoted by Apple.

Malware Removal Instructions for Apple iOS

The first thing that users affected by this malware should do is change their Instagram passwords, using the “forgot password” link directly from the Instagram site if need be. Due to security restrictions put in place by Apple on iOS, it’s not possible for antivirus software to scan your iPhone or iPad directly. Instead, if a user has the Trojan horse on their iPhone or iPad, they will need to manually locate the InstaCare or InstaDetector app, tap and hold the app icon until it wiggles, then press the X button to remove it from the device.

If a user syncs their iOS device with their Mac, or have downloaded their iOS apps directly to their computer through iTunes, the malware may be present on their system. While this Trojan horse cannot harm OS X itself, it’s a good idea to get rid of it so it doesn’t inadvertently sync back to their iPhone or iPad. Users can manually delete the Trojan horses from their Mac’s by following these steps:

1. Open iTunes on the users Mac.

2. Click the View menu at the top of the screen, click the More submenu, and then click Apps.

3. Locate the InstaCare – Who cares with me? or Who Cares With Me – InstaDetector. app in the list, and single click the app to highlight it.

4. Either press the delete key on the keyboard, or select Delete from the Edit menu to remove the app from the system.

Users of SecureMac's MacScan 3 ( ) with up-to-date definitions can detect these Trojans as iOS/Instealy.A and iOS/Instealy.B. MacScan 3 will automatically check for malware definition updates every time you run a scan while connected to the Internet.

About SecureMac
SecureMac’s award-winning lineup of Mac security and privacy software features MacScan 3, the next-generation of its flagship malware protection app, along with PrivacyScan, a utility designed to seek and destroy privacy threats on OS X. Since 1999, SecureMac has been at the forefront of Macintosh system security, offering news, advisories, reports, how-to’s and guides with the goal of increasing privacy and security awareness. SecureMac recently relaunched, providing a dependable resource for everything Apple and Mac to home, small business, enterprise, and government users alike.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jessica Fitzgerald
+1 215-644-6509
Email >
Visit website