A fake version of the Android WhatsApp app was downloaded a million times from the Google Play Store before users discovered the fraud, and Google removed it.
Google appears not to have done enough to prevent scammers from using well-known apps, such as WhatsApp, from simply copying familiar app names, icons, and developer names and distributing them to unsuspecting Play Store customers.
One of several fake WhatsApp apps was downloaded between one million and five million times before it was flagged by users on Reddit. The app, which was called 'Update WhatsApp', looked identical to the real WhatsApp.
To dupe Android users, those behind the fake app differentiated its developer ID from WhatsApp's ID by adding Unicode encoding for a type of space, known as a 'no-break space', at the end of the name.
So, the real WhatsApp developer ID URL looks like this:
Whereas the fake WhatsApp developer ID URL looked like this:
The app concealed its presence on devices by creating a blank icon, so that it couldn't be seen in the Apps screen after being installed.
Fortunately, the developer appears only to have used the bogus app to make money through advertising. However, the same technique could have been used to distribute more harmful malware.
Avast mobile security researcher Nikolaos Chrysaidos discovered more bogus WhatsApp apps over the weekend. He's also flagged several other fake WhatsApp apps on Google Play over the last month, including fake Facebook Messenger apps.
The Play Store is widely recommended as the safest place from which to install Android but Google has had trouble keeping it free of malware. The latest trend among developers is to hide cryptocurrency miners in apps, which use a device's CPU without asking the user permission.
Android users are advised to check apps carefully before installing them, including reading user reviews. However, in this case the bogus WhatsApp app had a four-star rating and over 6,000 reviews.
Previous and related coverage
BankBot trojan malware waits twenty minutes after the app is used before moving to run its payload.
Malware authors cash in on Android users through SMS fraud and unwanted online subscriptions.
Streaming media policy [Tech Pro Research]
There are many legitimate business reasons to access streamed audio and video files, such as engaging in training, reviewing news or industry-related content or conducting business research.
Read more about Android security
- Android security triple-whammy: New attack combines phishing, malware, and data theft
- The 10 best ways to secure your Android phone
- Google's October Android patches have landed: There's a big fix for dnsmasq bug
- Mobile Device Research: 2016 security trends, attack rates, and vendor ratings for smartphones, tablets, laptops, and wearables [Tech Pro Reseach]