Andrea Danti - Fotolia
A fake WhatsApp app managed to evade the Google Play Store's security screening by using Unicode to impersonate the real app. In light of this weakness in app store security measures, what steps should users and enterprises take to avoid counterfeit apps?
Because smartphones have a fundamentally different security design and do not have the same insecure legacy of Windows or Apple desktops and laptops, they have significant promise to be more secure.
One major difference between the two platforms is the use of app stores -- or walled gardens -- that allow users to easily install applications. It is within the app store that users often assume that all the applications are legitimate.
However, malware, such as ExpensiveWall, continues to show just how dangerous these assumptions can be, as it is possible for malware to use the name of legitimate apps in the app store. This was recently done to develop a fake WhatsApp app.
A fake WhatsApp app was published in the Google Play Store and named WhatsApp, with what looks like a blank space at the end of the name. This was a wrapper around an adware app for displaying ads on mobile devices. The app used a similar developer name, didn't say it was verified by Google and was downloaded around 1 million times.
Short-term ways to protect against adware include users reviewing comments about the app and using a separate mobile security tool that is more restrictive than the Google Play Store. Furthermore, enterprises may even want to control what apps are installed on their users' mobile devices and vet apps for their end users.
It's very difficult for people to distinguish an l from a 1 from a | from an I in an app's name, so it's not surprising that hackers take advantage of this flaw. It is reasonable to assume that Google and other app stores check Unicode and other obfuscation techniques, but they may find it difficult to check every language and character code for characters that look similar and that could be used for deception.
While this is not a new problem, the scale is definitely larger given the wider audience using app stores; however, it is certainly better than having to determine if an illegitimate application was downloaded from a legitimate app store, such as the fake WhatsApp app. The next step is to determine if the app is legitimate. To do so, app stores have been making advancements to help protect mobile devices.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Mobile application security best practices
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.