Fraudsters are managing to get fake WhatsApp apps published on the Play Store.
Fake WhatsApp with a 4.2 star rating and over 6,000 reviews.
Image: Nikolaos Chrysaidos
Google appears not to have done enough to prevent scammers from using well-known apps, such as WhatsApp, from simply copying familiar app names, icons, and developer names and distributing them to unsuspecting Play Store customers.
One of several fake WhatsApp apps was downloaded between one million and five million times before it was flagged by users on Reddit. The app, which was called ‘Update WhatsApp’, looked identical to the real WhatsApp.
To dupe Android users, those behind the fake app differentiated its developer ID from WhatsApp’s ID by adding Unicode encoding for a type of space, known as a ‘no-break space’, at the end of the name.
So, the real WhatsApp developer ID URL looks like this:
Whereas the fake WhatsApp developer ID URL looked like this:
The app concealed its presence on devices by creating a blank icon, so that it couldn’t be seen in the Apps screen after being installed.
Fortunately, the developer appears only to have used the bogus app to make money through advertising. However, the same technique could have been used to distribute more harmful malware.
Avast mobile security researcher Nikolaos Chrysaidos discovered more bogus WhatsApp apps over the weekend. He’s also flagged several other fake WhatsApp apps on Google Play over the last month, including fake Facebook Messenger apps.
The Play Store is widely recommended as the safest place from which to install Android but Google has had trouble keeping it free of malware. The latest trend among developers is to hide cryptocurrency miners in apps, which use a device’s CPU without asking the user permission.
Android users are advised to check apps carefully before installing them, including reading user reviews. However, in this case the bogus WhatsApp app had a four-star rating and over 6,000 reviews.