Whatsapp has recently been in the news for funny reasons. Only last week there was an outage of the messaging app as many people across the globe could not access the app. The latest has been the appearance of a fake version of the Android WhatsApp app which was downloaded a million times from the Google Play Store before users discovered the fraud, and Google removed it.
As noted by the Reddit user who first spotted it, it used the official WhatsApp logo and had a high user rating of 4.2 stars.
What’s more, it even appeared to have been developed by WhatsApp Inc., the creators of the real WhatsApp app.
However, it has now been removed from the Play Store.
According to reports, the people behind the fake app managed to pull off this trick by adding an invisible Unicode character space to the end of the name, which in computer code reads “WhatsApp+Inc%C2%A0”.
Dextersgenius, a Reddit user who downloaded it while it was still available, has described what it did.
“The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called ‘whatsapp.apk’,” he said.
“The app also tries to hide itself by not having a title and having a blank icon.”
Fortunately, the developer appears only to have used the bogus app to make money through advertising. However, the same technique could have been used to distribute more harmful malware.
The fact that over a million people managed to download it before it was taken down is a cause for concern.
Google is supposed to protect Android users by blocking fake and malicious apps from the Play store, and it’s clear that the company’s security system isn’t foolproof.
Avast mobile security researcher Nikolaos Chrysaidos discovered more bogus WhatsApp apps over the weekend. He’s also flagged several other fake WhatsApp apps on Google Play over the last month, including fake Facebook Messenger apps.
The Play Store is widely recommended as the safest place from which to install Android but Google has had trouble keeping it free of malware. The latest trend among developers is to hide cryptocurrency miners in apps, which use a device’s CPU without asking the user permission.
Android users are advised to check apps carefully before installing them, including reading user reviews. However, in this case the bogus WhatsApp app had a four-star rating and over 6,000 reviews
It is far from the first time that Google has had to clean up fake malicious apps on the Play Store.
In 2015, the firm had to step in and block one program that disguised itself as a battery monitor and sent premium-rate text messages from people’s phones.
