In his tweet David said, "I would say "Who Viewed Your Profile - InstaAgent" is the first malware in the iOS App Store that is downloaded half a million times." According to the developer, the app which comes with full name "Who Viewed Your Profile - InstaAgent" was available to download both via Google Play and App Store, and was able to send user credentials to a remote server via clear text.
The developer also found that the third-party client was posting images without user permission on Instagram profiles. "Surprise, surprise, #InstaAgent is also posting images without your permission in your #Instagram profile," said David in another tweet.
MacRumors pointed that before David discovered the 'harvesting' of user names and passwords by InstaAgent, the app was rated as number 1 free app in both Canada and the United Kingdom in the App Store.
In the meanwhile, Instagram has asked users that installed InstaAgent app to change their password. In a statement to BBC, it said, "These types of third-party apps violate our platform guidelines and are likely an attempt to get access to a user's accounts in an inappropriate way. We advise against installing third-party apps like these. Anyone who has downloaded this app should delete it and change their password."
Users who use their Instagram password for other sites as well will of course need to make more than one password change.