Android users were tricked by a convincing fake WhatsApp app listing in the official Google Play Store, but one...
expert said this incident shouldn't take away from confidence in the safety of the Play Store.
The issue was first revealed on the r/Android subreddit and showed a fake WhatsApp app listing in the Google Play Store that had the developer name appearing to be the real WhatsApp Inc. Redditor "E_x_Lnc" first posted about the fake listing, noting it used a Unicode character that mimicked a blank space after the name in order to bypass Google's malware scanner and was invisible unless someone looked at the code itself.
There were some minor red flags on the fake WhatsApp app listing that redditors pointed out though. First, while 1 million downloads may seem impressive, the real WhatsApp has been downloaded more than 1 billion times. The fake WhatsApp app listing also contained the tag claiming the app contained ads, which the real app does not. Finally, the real WhatsApp listing bears the "Verified by Play Protect" branding from Google.
What the fakeout means
Liviu Arsene, senior e-threat analyst at Romania-based antimalware firm Bitdefender, said using Unicode characters to impersonate a brand name and the fake WhatsApp app itself should never have made it past the Google Bouncer malware scanners.
"Malicious app developers have proven to be very resourceful in the past, and this incident with WhatsApp is no different," Arsene told SearchSecurity. "It's worth noting that before actually installing an application users should also go through the comments section to see if others reported any abnormalities with it or even doing a little research regarding the developer's name and what other apps has he published, to spot any potential issues."
According to redditor "dextersgenius," the app itself was little more than an ad-wrapper, and once installed it tried to hide itself by having a blank icon and no title.
Liviu Arsenesenior e-threat analyst, Bitdefender
Arsene said "adware itself is not always malicious," which may be why this fake WhatsApp app wasn't caught earlier.
"Benign apps have been smuggled before in Google Play, only to be later updated with malicious components -- even if for a short period of time," Arsene said. "However, malicious behavior that involves data exfiltration and remote control of the device is a lot easier to spot than simply deciding whether or not an ad-displaying app is too intrusive."
Despite this incident, Arsene said Android users should still see the Google Play Store as the safest place to get apps.
"The general line for Android safety remains downloading apps from Google Play, mostly because these incidents where malware or aggressive adware makes it in their marketplace are sufficiently rare and quickly handled," Arsene said. "However, it's more than recommended to also rely on a security solution for mobile devices, as security vendors are in the business of scrutinizing apps more aggressively for keeping users safe."
Find out about the Google Play bug bounty aimed at finding vulnerabilities.
Get info on how Android app permissions might be exploited.