WASHINGTON, Nov. 11 (UPI) -- InstaAgent, an Android and iOS app that lets users see who has viewed their profile, was removed from app stores after it was found to be stealing passwords.
Self-employed German developer David Layer-Reiss initially found the security flaw and posted an image of his find to Twitter on Tuesday. Layer-Reiss said usernames and passwords were sent to unknown servers and that the app posted ads to their Instagram accounts without permission.
Released last month, the app became popular in the United Kingdom, United States, Germany and Canada.
It hit the top of the U.K.'s free apps chart on Nov. 7 and remained there for four days. Additionally, the Android version was downloaded more than 100,000 times from the Google Play app store despite a 2.2 star rating. Its iOS version showed a four-star rating on the app store.
In another tweet, Layer-Reiss said, "I would say 'Who Viewed Your Profile - InstaAgent' is the first malware in the iOS Appstore that is downloaded half a million times."
The app was absent from both app stores by Wednesday morning.
#InstaAgent is only able to post a image in your #Instagram account because they got your account password! #hacked pic.twitter.com/0vD1OJBY9l— David L-R (@PeppersoftDev) November 10, 2015
This is the second time in recent months that Apple's App Store, typically regarded as having a rigorous vetting process for new apps, has experienced such an issue. In September, hundreds of apps on the App Store were found to be infected with malicious development code.