Instagram users are once again the targets of malicious Android apps hosted on the Play Store, apps which steal their credentials on false claims of boosting their account's follower numbers.

In total, ESET security researcher Lukas Stefanko discovered 13 apps that appear to have been written by a Turkish developer. While seven of the 13 apps obviously focused on Turkish-speaking users, the rest targeted users from across the world.

Stefanko says he reported all 13 apps to Google's security team, who removed them from the Play Store last week.

The same ol' mode of operation

The modus operandi of all these apps was the same. The apps were advertised as means to boost Instagram follower numbers.

Once users installed the apps, a screen would appear asking users to log into their Instagram accounts. The app would then collect the user's login details, send them to a remote server, and show a login error.

The error would appear every time the user tried to authenticate, and after a certain number of login attempts, the error would change, and ask the user to visit the official Instagram site instead and authorize the app from there.

Instagram stealers
Apps designed for stealing Instagram credentials (via ESET)

By this point, the user's credentials were stolen, and the crook had already used them to log into the victim's account. When the user visited the Instagram homepage, he would see a notification from Instagram letting him know that someone has accessed his account.

If victims misunderstand this message and believe this was the app attempting to log in, they might not understand that someone else (and not an app) had accessed their account.

Stolen credentials used for online services selling Instagram likes

From this point on, if victims don't change their passwords, the crook would use the victim's Instagram account to like images or follow other accounts.

Stefanko believes these apps power online services that offer Instagram likes and followers for money.

These 13 apps also look to be part of a network of Instagram credential-stealing apps developed by a team of Turkish developers. Back in January, the researcher discovered a similar app that stole Instagram credentials and targeted Turkish users. That app, as well, was hosted on the official Google Play Store.

Other ways in which hackers could use the stolen Instagram credentials is to post image ads on people's profiles and to extort some kind of payment from the owners of accounts with a large follower base.

Overall, there have been many cases of apps that stole Instagram credentials in the past few years.

In November 2015, Apple removed an app named "Who Viewed Your Profile - InstaAgent" from the App Store because of the same behavior. Six months later, Google faced a similar incident and was forced to remove two apps named "Who Viewed Me on Instagram" and "InstaCare - Who cares with me?," also caught stealing Instagram credentials.