To prevent malicious apps on Android, do not install anything that comes from outside the Play Store or has few downloads. This security recommendation did not work in the latest case: a fake WhatsApp was downloaded more than 1 million times from the official Google store.
The trick was well done: the app on Google Play was called “Update WhatsApp Messenger,” it had the same visual identity as the original and was created by the developer “WhatsApp Inc.”, exactly the same name that Facebook uses to distribute the legitimate version .
But how did Google allow someone else to adopt the same developer name as the original? In fact, the attacker included a Unicode character that was invisible on Google Play; the name on the link was “WhatsApp + Inc% C2% A0.”, and Google’s system apparently understood that this was different from “WhatsApp Inc.,” as The Hacker News shows .
The malicious application required few permissions (it only needed to access the internet, after all). When it was opened, the malware was displaying a web page full of advertisements and attempting to download a second APK, called “whatsapp.apk,” according to a Reddit user review .
It has already been removed by Google, but the fake WhatsApp fooled more than 1 million people who relied on the Play Store and more than 6,000 Google store ratings, which averaged 4.2 stars – close to 4, 4 stars of the true app.
When neither the Google Play filter works, nor does Play Protect work, nor does a review of popularity and user ratings work, the recommendation to stay safe on Android is: ¯ \ _ (ツ) _ / ¯