Once again Google's Play Store has proved less than excellent at tackling malicious apps, after netizens found a fake version of WhatsApp that was good enough to fool over a million people into downloading it.
The rogue program was spotted by Redditors earlier today, and the software looks very much like the real deal. However, when opened, it appears to download and run the real WhatsApp Android client albeit with adverts wrapped around it, making a fast buck for whichever miscreant produced this dodgy imitation.
"I've also installed the app and decompiled it," reported DexterGenius.
"The app itself has minimal permissions (internet access) but it's basically an ad-loaded wrapper which has some code to download a second apk, also called 'whatsapp.apk.' The app also tries to hide itself by not having a title and having a blank icon."
The fake app, now removed from the official Play Store, appeared to be developed by WhatsApp Inc, the legit Facebook-owned maker of the messaging client. However, thanks to some Unicode trickery, a hidden space at end allowed this dodgy version to masquerade as a product of WhatsApp Inc, albeit with two bytes, 0xC2 0xA0, at the end forming an invisible space. In other words, it appeared to be a legit app from a real developer, but really it wasn't.
Despite clearly being a counterfeit build of a highly popular application, Google's software guardians failed to spot the scam; the program had over a million downloads.
Google told The Register it is looking into the matter, and it's likely the writer of the fake version is going to be banned. The Chocolate Factory has been touting the benefits of machine intelligence in tracking down miscreants lurking in its store. Maybe some more human intelligence is needed, too. ®