It seems incredible but, believe it or not, a cunning app developer has managed to spoof over a million users into downloading an advertising app that masquerades as the globally popular messaging app, WhatsApp. The app is called Update WhatsApp Messenger and does a very convincing job of looking like the real thing, even pulling off a clever trick to ensure that the developer’s name appears legitimate.
Fortunately, this particular developer wasn’t exactly malicious and their only intention seems to have been to generate ad revenue by tricking users into downloading the app. The app also didn’t require too many permissions and turned out to be an ad-loaded wrapper which is designed to have a blank icon and title so that users don’t see the app once it’s installed. This has left novice users helpless against the app’s intrusive ads and unable to uninstall it. For added measure and to encourage more people to download the app, the developers used a clever, digital ‘sleight of hand’ to appear as the genuine developers of WhatsApp. They achieved this by using what is known as a Unicode character space after the developer name which read, in computer code, as ‘WhatsApp+Inc%C2%A0.’ but appeared to Android users as ‘Whats App Inc.’ just like the real deal.
Google has now removed this ‘fake WhatsApp’ from the Play Store but this is not the first time such apps have been spotted on Google’s official app delivery platform. The Play Store has often been plagued with these kinds of incidents but this one is particularly significant given the number of downloads and the lengths to which the developers had gone to appear genuine. It’s very sad and even shameful that Google wasn’t able to pick up on this scam early on and put an end to it, even as more than a million users downloaded the app.
Despite efforts on Google’s own part and their security incentive programs such as Bug Bounty, the Play Store is awash with malicious apps that manage to fool security mechanisms and affect Android users in the millions. While this is to be expected given the Android Platform’s open nature as opposed to its competitors, it’s high time that Google stepped up its efforts to stop this kind of exploitation of its services.
Still, common sense is the best and first line of defence in the world of cyberspace. Despite the lengths to which the developers had gone to appear legitimate, there were a number of tell-tale signs of ‘fishiness’ to anyone with common sense and anyone who took a bit of time to read before they tapped install. First off the name, ‘Update WhatsApp Messenger’ is a dead giveaway. Why would What’s App issue an ‘update app’ when updates to the app are delivered via the Play Store? Then, the number of downloads. It’s common knowledge that, What’s App has over a billion users so the app having only one million downloads should look suspicious. A cursory reading of the reviews may also have alerted users to the nature of the app they were downloading. For more knowledgeable users, the ‘contains ads’ under the install button would also have been a huge red flag as WhatsApp does not display ads.
The lesson to be taken from this episode is that ultimately, you alone are responsible for your security online. It is very unlikely that you can be infected, affected or in any other way intruded upon without your authorization. Therefore, we strongly encourage everyone to think once and read twice before they click or tap on anything.