"in order to distribute spam and ads"
[unflattering comparison to existing social networks here]
Security researchers have discovered 13 new Instagram credential-stealing apps on Google Play. The malicious apps, which pose as tools for either managing or boosting Instagram follower numbers, are actually designed to phish for Instagram credentials. The stolen credentials allow hackers to abuse compromised accounts in order …
Last I heard, Google scans apps in a VM, similar method that anti virus software uses. In other words...NOT effective. Not sure, but I vaguely remember Apple runs the software on some big iPhone server thing, very closely simulating an actual iPhone. Not sure of the specifics, of course.
So to summarize...Yes. It is a big 'ole self-policed free-for-all storm of crap. Google really needs to fix it, it makes their platform a complete mess.
"Forgive my ignorance, (I'm a fanboi) but why does it always take security researchers to discover this stuff in the Playshop or whatever?"
To be fair on Google, it's probably quite tough to vet this particular issue automatically. There are numerous valid reasons to store credentials as part of an application, and making sure the application doesn't forward them would likely be next to impossible, as many applications will require the real password forwarded rather than just a hash....
Google's too busy finding flaws in competitor products to get it's own house in order...
This sounds like it fits into the "You Can't Cheat an Honest Man" category.
Under the few circumstances where you might legitimately be interested in complete strangers looking at your Instagram photos, how would an app help?
It sounds like scammers targeting spammers to me. And I have no problem with that.