Insert your username and password, get free followers and Likes. This is what tens of thousands of Instagram users thought was happening.
More than 100,000 Instagram users fell for a bold, effective scam called InstLike, an app that promised free Likes and followers on the photo sharing platform. The app asked users to share their usernames and passwords after downloading, turning them into willing participants of a giant social botnet.
See also: Don't Fall for These 9 Instagram Scams
After users signed up for the free app, InstLike would begin Liking random photos and following random users. It also asked users to buy virtual coins to accrue more Likes and followers, according to a new research by security firm Symantec, shared exclusively with Mashable.
"We don't steal your account," the app developers promised in the login screen. But InstLike did just that.
By collecting thousands of users' accounts, Symantec estimates that at least 100,000 users fell for the scam . The app was able to add Likes and followers using those real accounts to feed the scam ecosystem. The more people took the bait, the more followers and Likes it delivered.
Despite raising a giant red flag by directly asking for login credentials instead of using the Instagram API, the app was very successful and survived scrutiny from Apple and Google for months, according to Symantec, which spotted the scam in late October.
The Android app was created on June 9, while its corresponding iOS app was released on Sept. 19, per app store analytics website App Annie.

After Symantec warned Apple and Google, the app was removed from Google Play and the App Store on Oct. 25 and Nov. 7, respectively.
But according to Symantec, it was downloaded and used by tens of thousands of people collectively before then, harvesting a treasure trove of accounts into its botnet.
On Oct. 5, InstLike hit its peak in the App Store, where it was No. 22 under most downloaded "utility" apps and No. 571 overall, according to App Annie.
In the Google Play store, InstLike had between 100,000 and 500,000 downloads before it was pulled, with more than 100,000 ratings across app stores, per Symantec. These numbers led the firm to estimate that at least 100,000 users gave their passwords to InstLike, a figure Symantec considers "conservative."
"People didn't realize that they were being duped into giving their login credentials to this app," Satnam Narang, the security researcher at Symantec who found out about InstLike, said in an interview with Mashable.
It also convinced people to pay for extra Likes and followers.
For almost an entire month, from Oct. 8 until Nov. 7, when it was removed from the App Store, InstLike was either the No. 2 or the No. 1 highest-grossing app among utilities applications, and in the top 200 overall.
Apple doesn't release the exact number of downloads or revenue from an app, but for comparison's sake, those grossing numbers are similar to a popular game such as Temple Run 2.
This is not the first app that has tried to scam social media users by promising Likes and followers, but its tactics were fairly innovative, Narang explained. Normally, these kind of scam apps ask for money upfront, but this app was free and used real accounts, not fake ones.
"It's just very interesting to see what length people will go to in order to get Likes in their photos," Narang added.
Users perhaps were naive to give up their passwords, but the app was sophisticated; it used a variety of ways to convince people to pay for virtual coins and spread the app.
The app allocated 20 free coins per day to users. One Like would cost you one coin and one follower cost 10 coins. After those 20 daily coins, a user had to buy more with real money. The minimum purchase of 100 coins would set you back just $1, and if you referred another user to InstLike, you received 50 free coins, encouraging users to recruit new players.
The app included an auto-Like feature that sent 500 Likes to pictures with common hashtags, in hopes of receiving Likes in return or follow-backs. For 20 coins, a user could purchase a one-day premium service that allowed him to send up to 1,500 Likes and customize the target hashtags.
Moreover, a user would get 20 free Likes if he used the hashtag #instlike_com in his own photo captions. A search on Instagram reveals that more than 500,000 photos already contain that hashtag.
All these features made InstLike a sophisticated ecosystem that employed thousands of voluntary "zombie" accounts — but it depended on their naiveté and willingness to give up their passwords. For Narang, who is experienced in the realm of social media-based scams, the sheer volume of people involved is scary.
"This is the generation of the future," Narang said. "If you're willingly giving out your login credentials for you social media accounts, that's bad security policy."
It's unclear how the app survived scrutiny for so long. An Apple spokesperson declined to comment to Mashable and Google did not respond to multiple requests for comment.
Instagram sent Mashable the following statement: "Posting automated content to Instagram clearly violates our Terms of Use. We have a team dedicated to stopping abuse on the service and enforcing our policies, including removing content that violates our terms."
Although the apps have since been removed from Google Play and the App Store, the app's site, InstLike.com, is still operational. If you downloaded the app and gave out your credentials, Symantec suggests changing your password immediately, then deleting the app from your phone. Otherwise, InstLike will continue to post from your account.
Have something to add to this story? Share it in the comments.
Image: Mashable