A fake WhatsApp app managed to evade the Google Play Store's security screening by using Unicode to impersonate...
the real app. In light of this weakness in app store security measures, what steps should users and enterprises take to avoid counterfeit apps?
Because smartphones have a fundamentally different security design and do not have the same insecure legacy of Windows or Apple desktops and laptops, they have significant promise to be more secure.
One major difference between the two platforms is the use of app stores -- or walled gardens -- that allow users to easily install applications. It is within the app store that users often assume that all the applications are legitimate.
However, malware, such as ExpensiveWall, continues to show just how dangerous these assumptions can be, as it is possible for malware to use the name of legitimate apps in the app store. This was recently done to develop a fake WhatsApp app.
A fake WhatsApp app was published in the Google Play Store and named WhatsApp, with what looks like a blank space at the end of the name. This was a wrapper around an adware app for displaying ads on mobile devices. The app used a similar developer name, didn't say it was verified by Google and was downloaded around 1 million times.
Short-term ways to protect against adware include users reviewing comments about the app and using a separate mobile security tool that is more restrictive than the Google Play Store. Furthermore, enterprises may even want to control what apps are installed on their users' mobile devices and vet apps for their end users.
It's very difficult for people to distinguish an l from a 1 from a | from an I in an app's name, so it's not surprising that hackers take advantage of this flaw. It is reasonable to assume that Google and other app stores check Unicode and other obfuscation techniques, but they may find it difficult to check every language and character code for characters that look similar and that could be used for deception.
While this is not a new problem, the scale is definitely larger given the wider audience using app stores; however, it is certainly better than having to determine if an illegitimate application was downloaded from a legitimate app store, such as the fake WhatsApp app. The next step is to determine if the app is legitimate. To do so, app stores have been making advancements to help protect mobile devices.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Mobile application security best practices
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading