Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Instagram Users Compromise Their Own Accounts for Likes

Created: 12 Nov 2013 20:48:34 GMT • Updated: 23 Jan 2014 18:03:11 GMT • Translations available: 日本語
Satnam Narang's picture
+2 2 Votes
Login to vote

Symantec Security Response has discovered many Instagram users have willingly shared their usernames and passwords to a bot-like app in order to increase likes and followers.
 

image1_15.png

Figure 1. InstLike application welcome and login
 

The application known as InstLike was available for iOS and Android devices. It could be found in both Apple App Store and Google Play Store. Google and Apple have since removed the applications from their respective stores. There is also a mobile version of the application online.

InstLike claims users will receive likes and followers for free. But as we have warned previously, these kind of “free” services for social networks are not actually free. In the case of InstLike, the application asks users to provide their Instagram login credentials. Applications that wish to interact with Instagram accounts, however, should instead use the Instagram API.
 

Instagram accounts hijacked for auto-promotion purpose

As a result of signing up for the InstLike service, users actually opt in to having their Instagram account externally controlled for the purpose of auto-liking and auto-following others. When we tested the application, right away our Instagram account began liking pictures without any consent or interaction from us.
 

Likes and followers for sale on Instagram

The InstLike app uses a virtual currency system that offers Instagram likes and followers for sale in exchange for coins purchased with real-world currency. Users can purchase coins in set US dollar amounts.

Coins

Price

100 coins (minimum)

US$1.00

5,000 coins (maximum)

US$50.00

image2_8.png

Figure 2. InstLike exchanges real-world money for Instagram likes and followers
 

A single like for an Instagram photo costs one coin and a single Instagram follower costs 10 coins.

Service

Cost

1 like

1 coin

1 follower

10 coins

1 day premium service

20 coins

A premium InstLike service that costs 20 coins gives users more flexibility in manipulating the “autoliker” functionality, such as enabling automatic photo-liking through custom hashtags. However, the InstLike app deliberately staggers likes of hashtags to avoid being banned from Instagram for bot-like activity.

Regardless of whether a user has the InstLike app installed or not, any Instagram user can receive a bonus of up to 20 likes by using a specific InstLike comment string.
 

image3_8.png

Figure 3. InstLike delivers likes through comment monitoring
 

Users can also refer others to join InstLike to earn coins. And we have found a YouTube tutorial showing how to create fake Instagram accounts in order to earn additional coins.
 

Real Instagram numbers skewed by auto-liking

Nearly half a million photos on Instagram include the hashtag #instlike_com. That results in more than 9 million auto-likes. However, since users can delete the InstLike hashtag comment after they receive their limit of 20 likes, the total number of auto-likes generated by this app is probably higher.

According to the Google Play Store, InstLike has had between 100,000 and 500,000 installs. The Apple App Store does not provide statistics, but the InstLike app is ranked #145 in Top Grossing iOS Applications due to in-app purchases. As a reference point, a popular game like Temple Run 2 is ranked #181 in Top Grossing iOS Applications.
 

image4_4.png

Figure 4. InstLike is an Top Grossing iOS Application
 

Instagram users willingly become part of social botnet

In social media, “numbers don’t lie,” as Jay-Z would say. The number of likes and followers a user acquires is an indication of success and social influence. There is a psychological desire to gain more likes and more followers. While a service like InstLike does serve this purpose, it comes at a significant security cost. Users are willingly giving their full login credentials to an unauthorized service and effectively become part of a social botnet.

InstLike violates Instagram’s terms of use as well as the API terms of service:

  • You agree that you will not solicit, collect or use the login credentials of other Instagram users.
  • You shall not use the Instagram APIs to post automated content to Instagram, including likes and comments that were not initiated and entered by an Instagram user.

If you have installed the InstLike application on your device, you should immediately uninstall it and change your Instagram password. Until you change your Instagram password, your account will be used for auto-liking and auto-following.

Symantec advises users never share account credentials to any third party applications or services. Third party applications or services that require access to your account or information should use the legitimate APIs and authorization protocols (OAuth 2.0, for instance).