Yesterday some users spotted a fake version of the most popular WhatsApp messaging app for Android on the official Google Play Store that has already tricked more than one million users into downloading it.
Dubbed Update WhatsApp Messenger, came from an app developer who pretended to be the actual WhatsApp service with the developer title “WhatsApp Inc.”—the same title the actual WhatsApp messenger uses on Google Play.
The app maker added a Unicode character space after the actual WhatsApp Inc. name, which in computer code reads WhatsApp+Inc%C2%A0.
However, this hidden character space at the end of the WhatsApp Inc. would be easily invisible to an average Android user browsing Google Play Store, allowing this dodgy version of the app to masquerade as a product of WhatsApp Inc.
In other words, the titles used by the fake app maker and real WhatsApp service are different but appeared same to a user.
According to Redditors, who first spotted this fake app on Friday, the app was not a chat app; instead, it served Android users with advertisements to download other apps.
“I’ve also installed the app and decompiled it,” one Redditor said. “The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called ‘whatsapp.apk.’ The app also tries to hide by not having a title and having a blank icon.”
It is an unfortunate truth that even after so many efforts by Google (even recently launched Bug Bounty Program), malicious apps continuously somehow managed to fool its Play Store’s security mechanism and infect millions of Android users.
Google Play Store is still surrounded by hundreds of other fake and malicious apps that trick users into downloading and installing them and potentially infect their smartphones to carry out malicious things without their knowledge.