Keypoints
- McAfee identified Android apps that masquerade as follower/likes booster tools but act as credential stealers.
- The apps use an embedded Android WebView to display a malicious website that performs the harmful activity rather than the app itself.
- The malicious site claims to use the Instagram API but actually collects credentials and sends them to a backend (insfreefollower.com) for storage and reuse.
- After using the app, abnormal login attempts were observed from a Huawei device in Turkey (device model LON-L29), indicating remote unauthorized logins.
- Stolen credentials are reused to increase follower counts for other users, creating a network of compromised accounts and risking credential stuffing on other services.
- Distribution channels included promoted YouTube videos and Telegram links directing users to the malicious domain.
- McAfee detects the threat as Android/InstaStealer and published IOCs including two SHA256 hashes and the domain insfreefollower.com.
MITRE Techniques
- No MITRE ATT&CK techniques are explicitly mentioned in the article.
Indicators of Compromise
- [SHA256] Malicious app samples – e292fe54dc15091723aba17abd9b73f647c2d24bba2a671160f02bdd8698ade2, 6f032baa1a6f002fe0d6cf9cecdf7723884c635046efe829bfdf6780472d3907
- [Domain] Backend credential harvesting site – https[://]insfreefollower.com
The technical attack flow begins when a user installs an Android app that appears benign but simply embeds a remote webpage via Android WebView. The app’s APK contains minimal code: after showing an advertisement it immediately redirects the WebView to a malicious site which prompts for Instagram credentials while claiming to use the official Instagram API.
Once credentials are entered, the site forwards and stores them on a backend server (insfreefollower.com). McAfee observed subsequent unauthorized logins from a non-Instagram device (Huawei LON-L29) originating in Turkey, demonstrating that logins were performed by attacker-controlled devices rather than Instagram. The collected credentials are then reused to create follower activity for other requesters, linking users together and enabling large-scale account compromise and potential credential-stuffing attacks against other services.
Analysis shows the malicious behavior is implemented server-side rather than in-app, making the APK appear harmless and evading scrutiny; detection is achieved via file hashes and domain indicators, and McAfee identifies the threat as Android/InstaStealer.