back to article Over a million Android users fooled by fake WhatsApp app in official Google Play Store

Once again Google's Play Store has proved less than excellent at tackling malicious apps, after netizens found a fake version of WhatsApp that was good enough to fool over a million people into downloading it. The rogue program was spotted by Redditors earlier today, and the software looks very much like the real deal. However …

  1. Pen-y-gors

    Not fair

    Come on, how can the Play Store be expected to know if someone is telling fibs about their app? Only nice people use computers. ...Don't they?

    Actually just more evidence of my theory that one of the most effective anti-malware systems is called 'being an anti-social Luddite' - stick to email for communications and you're okay (or even better, a letter in a cleft stick)

    1. TheVogon

      Re: Not fair

      "Come on, how can the Play Store be expected to know if someone is telling fibs about their app?"

      In this case by the most basic of checks! Clearly they don't bother.

  2. This post has been deleted by its author

    1. mark l 2 Silver badge

      Re: 'two bytes at the end forming an invisible space'

      I expect the scammer in this case made a pretty penny from the fake version. Even some of the less reputable ad networks pay around $2 - $3 CPM, so with a million downloads even if just one ad is show per user that is $2000 - $3000 profit, and if some of them had clicked on the ads it could be into the tens of thousands profit range for very little work.

      1. Version 1.0 Silver badge

        Re: 'two bytes at the end forming an invisible space'

        Further evidence (not that any is needed) that our appetite for adverting will doom us as a race - let's just load up the Golgafrinchan Ark Fleet Ship B with anyone who has ever worked in Advertising.

        1. handleoclast

          Re: 'two bytes at the end forming an invisible space'

          I believe this is a better approach than the B Ark.

    2. Mark 85

      Re: 'two bytes at the end forming an invisible space'

      Interesting that "Anonymous Coward" wants El Reg to unmask miscreants. Not accusatory but interesting.

  3. Anonymous Coward
    Anonymous Coward

    Unicode is evil

    Obviously it is necessary so we have to learn to live with it, but hidden spaces, or "a"s that aren't the same "a" as in UTF8, are going to continue to be a problem until we figure out a way to sanitize inputs to prevent trickery.

    1. Anonymous Coward
      Anonymous Coward

      Re: Unicode is evil

      Actually, anything that doesn't allow to manage and display different languages on the same application is evil, the World doesn't speak English only.

      Non printable characters exist in other character sets as well. The fact that some Cyrillic letters resemble Latin ones is the result of thousands years of writing and cultural exchanges, and you can't change it. And it is very simple in Unicode to detect them, you don't need to process the glyphs, just look at their codes. Mixing alphabets in the same word should raises suspicions... to any competent developer who don't believe the Universe is ASCII-7.

      BTW: UTF-8 is just one of the way you can encode Unicode. Look-alike glyphs are not dependent on the encoding.

      1. TVU Silver badge

        Re: Unicode is evil

        "Actually, anything that doesn't allow to manage and display different languages on the same application is evil, the World doesn't speak English only..."

        Those are good points and it is clear that Google isn't doing enough yet to protect Android users and that it has got to do more, i.e. more money, resources and staff ought to be put into combatting malware in the Play Store.

        1. Anonymous Coward
          Anonymous Coward

          Re: Unicode is evil

          OK maybe my title was hyperbole, and I should have said "implementing Unicode without considering the security aspects was stupid".

          The fact remains that Unicode was brought in to solve an important problem, without considering any of the problems it would cause.

          1. Anonymous Coward
            Anonymous Coward

            "that Unicode was brought in [...] without considering any of the problems it would cause."

            Sorry, but this kind of problems can't be tackled at the Unicode standard level - especially since the character appearance is also up to the font designer - Unicode may say a codepoint is "Cyrillic Capital A" or "Greek Capital Alpha Α" - but its actual glyph is designed by a font designer. They are different codepoints, and an application *can* say they are different.

            As usual, a programmer should "never trust input" - and have some knowledge beyond simple IT.

    2. coconuthead

      Re: Unicode is evil

      This has very little to do with Unicode. The UTF-8 sequence quoted in the article actually represents code point 0xA0, which is the good old nonbreaking space which has been around since ISO 8859-1 and its mutant offspring Windows-1252.

      As for "figure out a way", the obvious would be for Google to check the developer names against actual identity, personal or corporate. I doubt any country would allow a corporation to include a nonbreaking space in its name or mix scripts in an ambiguous manner.

      1. Anonymous Coward
        Anonymous Coward

        "the obvious would be for Google to check the developer names"

        Increasing costs and reducing store revenues? App stores are all about revenues. Basically blackmailing developers to distribute their applications. They should be forbidden as anti-competitive.

        Moreover stores have an implicit trust that in situation like this is dangerous.

        1. This post has been deleted by its author

  4. Michael Thibault

    "it's likely the writer of the fake version is going to be banned"

    Well, there's that. I wonder what the decision criterion will be...

  5. Terry 6 Silver badge

    store fakes

    I don't download many "apps". But on the occasions I've searched for something there always seem to be one or more parallel programmes with similar names and identical claims. Then on top of that, just to muddy the waters, there are the apps that just package data distributed from an original source, e.g. Transport for London bus information. And this means it's almost impossible to identify a legitimate,or even simply a good programme. (Star ratings seem to be of little value, unless there are hundreds of positive votes)

    1. Alan Brown Silver badge

      Re: store fakes

      " (Star ratings seem to be of little value, unless there are hundreds of positive votes)"

      Obligatory XKCD: https://xkcd.com/1098/ and https://xkcd.com/937/

      1. tfewster
        Facepalm

        Re: store fakes

        I thought it was going to be this xkcd

    2. Mage Silver badge

      Re: store fakes and junk

      I found this too. It was a nightmare finding the 3 or 4 Android Apps I have on phone and Tablet.

      Very many downloads and tests required to find

      1) Note taking

      2) Word processor

      3) Signal Generator

      4) MP3 player able to automatically store last position in every file (needed for audio books).

      They do not clearly identify if crippled or having adverts. I'm not averse to paying money, but won't pay it for random advert or malware invested garbage. I actually BOUGHT a keyboard map editor for my Android tablet so I could use the USB keyboard the same way as on Linux for text editing etc. Needed to have áéíóú ÁÉÍÚÓ and € !

      What is it with small USB and BT keyboards having no AltGr/Special/Extended entry key? We don't all want to be locked to the basic characters on USA standard.

      1. handleoclast

        Re: store fakes and junk

        If Google gave a shit about Android users (other than as ways of generating advertising revenue) the play store would let you set search filters that excluded one or more of advertising, non-free, or "freemium" apps. Or at least set an order of prioritization in the search results.

      2. silent_count

        Re: store fakes and junk

        I commend to your attention 'Smart AudioBook Player'. The free version is good enough for my use but I bought the paid version to support the dev. (I have no interest in this software other than being a happy customer)

        If you find anything good in the other categories you mentioned I'd be interested to see.

    3. phuzz Silver badge

      Re: store fakes

      Even today, after this story has been around for a few days, if you go to the Google Play store and search apps for "Whatsapp", you still get at least one clearly fraudulent app in the first page of results, and that's without even mentioning the apps with icons clearly designed to be as similar as possible to an existing one.

  6. Anonymous Coward
    Anonymous Coward

    .. and that ..

    .. is why I keep using iOS. Sorry, but it IS that simple.

    That said, there's no hope in hell I will spend a bucket of money on the model X because, frankly, I don't see the point of the whole facial thing. I know I may be a luddite in this, but if I upgrade I'll save myself that bit of money.

    1. Anonymous Coward
      Anonymous Coward

      Re: .. and that ..

      Why do you think that the Apple store is any more immune to this sort of trickery than Google's Play store?

      1. Dan 55 Silver badge

        Re: .. and that ..

        Because it has a human being that sees something is called "Update WhatsApp Messenger" from a new developer with a Unicode hack in their name and a rip off of the legitimate app's Play Store resources is not legitimate.

        Perhaps Google will update their algorithm to pick up this more often, but then fake app devs will find their way around it (change the Play Store images or description in some subtle way).

        1. Richard 12 Silver badge

          Re: .. and that ..

          Hate to be the one to break it to you, but the Apple App store also relies on algorithms to detect unwanted apps.

          And it also makes stupid mistakes of this kind.

          1. Anonymous Coward
            Anonymous Coward

            Re: .. and that ..

            Hate to be the one to break it to you, but the Apple App store also relies on algorithms to detect unwanted apps. And it also makes stupid mistakes of this kind.

            Old argument: "X is not better than Y because they also make mistakes". Yes, but it's the volume and effort that counts, a bit like with Windows. The Apple camp gets grumbled at because they are a lot more restrictive - well, this is why. The volume of malware that makes it past the iOS team is substantially less than what manages to get itself in the Google Play store. Ergo, the iOS platform seems a safer place to be.

            That could change if Google actually put some effort in filtering, but so far, that appears to be a somewhat forlorn hope :(.

            Note that there is a simple, entirely selfish reason for an iOS user to see Android to be just as safe: less malware and botnets floating around. Let's not forget we're in the same pond, after all.

      2. My Coat

        Re: .. and that ..

        In my case, because I have an android phone and an iOS tablet. I've seen that there's a lot

        fewer blatant rip-off apps in the apple app store than the google one. The only thing I've used that comes close to the shovelware rip offs in the google app store is steam.

        1. Anonymous Coward
          Anonymous Coward

          Re: .. and that ..

          There is, however, one feature in the Google Store that the Apple app store is sorely missing: a flag or warning that an app depends on advertising.

          IMHO, a user should know beforehand if an app will go and download advertising data (and possibly transmit data found on the device to focus those ads). They are intrusive and use the user's bandwidth without permission, so even if they do not extract user data I think the user should still be entitled to know upfront that an app will be doing that. If an app upgrades to an add supported version, that should be blocked until permission from the user is received.

          Don't get me wrong, I understand why some developers try that route, but that creates THREE classes of apps: free once, paid-by-advertising and paid. I do not accept any iOS apps that use advertising as I see it as a risk, but at present there is NO way to discover that beforehand.

          This is one thing I think Google has done better. Now it just has to clean up the rest, you can't sell it to me that Apple makes better algorithms than Google. It is its frigging' business.

  7. Jonathan 27

    Yeah...

    Not trimming unprintable characters in publisher names, eh? Rookie mistake.

    1. Version 1.0 Silver badge

      Re: Yeah...

      The store algorithm probably strips unprintable characters before it parses the strings.

  8. Anonymous Coward
    Anonymous Coward

    Yawn

    Someone want to explain to the cretin what malicious actually means.

    "characterized by malice; intending or intended to do harm."

    Whilst this is obviously fake,it's not malicious. Wonder why I should bother reading stories from clickbaiters with no grasp of the English language.....

    1. handleoclast

      Re: Yawn

      The app is fraudulent. That alone makes it malicious.

      The app takes something without adverts and adds advertising. Those adverts are annoying, eat into data limits (however slightly) and make the app more awkward to use. That is malicious

      Yeah, the guy didn't have harm as his primary intention, his primary intention was to get money. The harm is a side-effect. But a predictable and obvious side-effect, so he would have known that the app would do harm and therefore he intended that harm to happen.

      I wonder why I should bother reading comments from people with no grasp of reality or logic.

      1. Terry 6 Silver badge

        Re: Yawn

        In fact...

        The app is fraudulent. That alone makes it malicious.

        The app takes someone else's product without adverts and adds advertising.

  9. Doctor_Wibble
    Mushroom

    The cunning disguise was to add a space at the end?

    Anyone who has ever tried searching for anything with an odd name similar to something common will know that search engines, including the one that starts with 'g', will give you pages of results containing the common-named thing and not what you searched for until about page 9, even if it says 'including results for...'.

    So how the fck did this get missed, is there not some clever 'this name has been used already' detection apparatus that actually notices it had to go 9 pages in?

    I'm glad I didn't get affected, and I'm assuming this only affected new downloads/installs and not updates - any apparent annoyance is that I'm having to trust this system that has fallen so short on something so humungously basic.

  10. Anonymous Coward
    Thumb Down

    All Apps Good?

    I don't understand why almost every app in the Play store have at least four stars.

    1. Version 1.0 Silver badge

      Re: All Apps Good?

      It's not available on the Play Store ... but there's an app that developers can use to make sure that their apps get good ratings ... it's called ClickBot.

    2. Anonymous Coward
      Anonymous Coward

      I don't understand why almost every app in the Play store have at least four stars.

      I believe the average product rating on Amazon is 4.6 stars? Then you read the 4+ Star reviews, and realize that people have given that rating to products they have ordered but not received, products that broke on first use, products that don't do what was claimed at all, etc.

      That is when I realized: a great many of the reviews are really only useful as an abbreviated IQ test of the reviewer.

  11. Stevie

    Bah!

    Do you remember those stupid "your computer has a virus because you have been browsing adult sites. Click for free scan" pop-ups in the America On-line days?

    Well I weakened and bought a smart phone. Some days into my proud ownership I started getting these antique scam pop-ups. I used malwearbytes to do a real scan but it found nothing awry.

    So I began doing a bit of CSI work in Mr Brain. When did the messages first appear? What had I added to the meager family of apps I use (I don't game on it and only get what I need)? I hope to goodness it isn't the Neutron music player.

    The answer? The BBC News app. I ditched that and the pop-ups went away too. Shame really. I use it on the iPad and it has been very useful.

  12. Anonymous Coward
    Anonymous Coward

    likely the writer of the fake version is going to be banned

    really?!

    1. TheVogon

      Re: likely the writer of the fake version is going to be banned

      "likely the writer of the fake version is going to be banned"

      Or at least the throw away email account he used will be banned...

  13. Anonymous Coward
    Anonymous Coward

    Zzzz

    Don't know what an "app" is, or a "WhatsApp"

    Don't use a "Play Store"

    Fuck Booble

  14. Unicornpiss
    Unhappy

    As a longtime Android user..

    ..and enthusiast, this makes me sad. IMO, Android is the most flexible, versatile, and to me, most logical to use platform. And this sort of thing is what gives it a bad name. Apple is very, very good at making their platform a walled garden and thoroughly (for the most part) vetting their available apps for malware. (functionality may be a different story) One of the joys of Android is the openness of the platform and the ability to side-load apps if you want. With this freedom comes the ability to really screw up your device. But there should not be poisoned apps in the main repository that your grandma is downloading from.

    1. Anonymous Coward
      Anonymous Coward

      Re: As a longtime Android user..

      I moved to IOS last year because I was worried about the continued balls up on the google play store and many of my favourite apps turning up on IOS. I'd happily go back to Android if I had more confidence in the apps on the app store, this sort of thing doesn't fill be with confidence.

      I'm no IOS fanboy by any means but personally it's the only one I have some confidence in actually keeping their walls garden vaguely tidy. Then again Apple will have made my phone obsolete in 2 years so I'll have little reason to stay.

  15. Packet

    Oh the joys of beholding the cesspool that is Android and the Google Play Store...

    (go ahead and downvote, you know it's true)

  16. MatsSvensson

    Unsafe by design

    Google clearly gives zero fucks about security in their shitty app-shop.

    The fact alone, that they do everything they can to help scammers hide malware, is enough.

    Try to find for example, a flash-light app, by searching only for those who requires zero unnecessary rights.

    Yep, there is no way to easily separate a flash-light app that is only a flash-light app, from the 9999 ones that require your to allow it to edit your address-book or allow the programmer to enter your apartment at night and put their balls in your mouth, or similar 1000% flash-light unrelated shit.

    Last time i checked, you had to actually begin the installation, to find out why you would get.

    Then do that 1000 times to find the one spring-surprise, that doesn't pierce your cheek.

    Or just bend over and click yes blindly to everything, to get on with your life, like you are supposed to.

    Who the fuck designs a app-shop like that?

    Halfwits or criminals, they have to be one or the other at Google.

    1. This post has been deleted by its author

  17. Almost Me
    Big Brother

    Just in case you thought Google cared and/or Google engineers were intelligent...

    Just checked in the app store: there are two new fake WhatsApp apps... if adding a Unicode space no longer works, just add an asterisk or an ellipsis...

  18. Anonymous Coward
    Happy

    I'm sitting in my walled garden...

    ...on a comfortable chair, enjoying the sun and a large Hendricks and Fever Tree G&T and having a jolly good laugh about this story.

  19. DJO Silver badge

    I got an email a few weeks ago telling me to update WhatsApp along with a (very suspect) URL.

    I don't now, have never in the past and have no future intention of ever using WhatsApp so I binned the mail. I wonder if that mail pointed to this item?

  20. tiggity Silver badge

    caveat emptor

    Even if the products are free, still beware.

    It was ever thus.

    Although I only use a handful of apps beyond Android defaults, not being a social media devotee, so in my case not too time consuming, it’s fairly easy & painless as a user to check that I am installing the correct one (instead of some impersonator).

  21. Anonymous Coward
    Anonymous Coward

    I believe I had the "update" app waved in front of me

    By something built-into my phone. Without thinking too deeply, I figured the app would self update, and ignored the Play-store link. It might have been the "free AVG" - whose built in ads ironically promote some very dubious apps while looking like they're AVG-recommendations!

    It's a mess.

    Sigh.

  22. Anonymous Coward
    Anonymous Coward

    Hmm, maybe they should use their AI to spot similarities in visual style and text between registered apps and others, and text and address chains from known offenders between apps, and dump those to the team for immediate examination? Just saying.

    You can then dump details of local offenses to their local authorities. Country A citizen releases what is basically an attack against mainly country b's citizens, but it gets to his local citizens in country A. Authorities in A now have a lead and and a list of local victims. You also notify victims in A so they can hassle authorities in A, and protest. After courts in country A are done, you then arrange for prosecution and expedition to country B, as you have created such a storm in country A they are probably willing to hand him over for a consecutive jail term. You then pass him around other countries for prosecution and consecutive jail terms. Maybe then the rest of his mates might think they shouldn't do the same.

    The industry, like Google, can set up information sites to inform victims what they should do in their country and refer them onto local legal firms and authorities. They set up procedures to identify, prosecute perpetrators, and contacting victims, with popups on their devices and apps. The law firms can go after the perpetrators and whoever is helping them, in class action, to go after all their holdings and assetts personal and business.

    But what do we have. An industry not doing this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like