The warning comes are security researchers discovered thirteen malicious apps in the Google Play Store.
The apps, which phish for login credentials then send them back to a remote server controlled by the hackers, were disguised as tools to help Instagram users manage their accounts and grow their number of followers.
Security firm ESET discovered the apps and alerted Google who removed them from the Play Store, but not before they had been downloaded more than 1.5 million times.
ESET said it believed the apps originated from Turkey but because they use English were downloaded by unsuspecting users around the globe.
All of the apps use a very similar strategy to harvest the data of the victim, with users tricked into thinking the app can be used to quickly boost the number of followers and ‘Likes’ on their profile.
Once downloaded the victim is asked to enter their username and password on what looks like a legitimate login screen. However, the app then siphons off their login details and sends them as plain text to a server controlled by the hackers.
The user is then shown a message saying they have entered an “incorrect password” and that they need to verify their account by logging into Instagram.
ESET says the stolen credentials could then be used to spread spam or login into the victim’s other accounts if they have used the same credentials elsewhere online.
Victims are advised to uninstall the malicious apps and change the password on their Instagram account immediately and also on any other accounts where the same password has been used.
ESET also says that users need to be mindful when downloading apps, even from the Google Play Store.
Only download apps from trusted developers, ideally ones listed under Editor’s Choice or marked Top Developer and don’t pay too close attention to an app with scores of positive reviews as these could be fake.
Also make sure you have an up to date antivirus or security app installed on your phone.