Instagram’s private accounts feature lets users share their photos to a curated group of followers. For vulnerable users, it is sort of a safe space where they can be themselves. Ghosty is an app in the Google Play store that wants to get around that all that. By leveraging details of users who voluntarily enter their user names and passwords, it essentially creates shadow profiles that users can view.

Here’s how it works in brief:

  • Person A follows Person B, a private account.
  • Person A creates a Ghosty for whatever reason.
  • Ghosty now scrapes all data from Person A’s followings, including Person B.
  • Person C comes to stalk Person A on Ghosty. Icky, icky, profit.

It’s not as if the users don’t know exactly what they’re getting in for. One review on the Google Play Store mentions using it for stalking. It goes without saying that this is a flagrant violation of Instagram’s terms and conditions, as well as the privacy expectations users have when using private accounts.

An Instagram spokesperson issued the following statement to Android Police:

Yes, this app violates our terms. This functionality has never been available through our API. We will be sending a cease and desist letter to Ghosty ordering them to immediately stop their activities on Instagram, among other requests. We are investigating and planning further enforcement relating to this developer.

At the time of posting, Ghosty was still live on the Google Play Store.

Source: Android Police