A fake version of WhatsApp, the free, cross-platform instant messaging service for smartphones, was downloaded from the Google Play store by more than one million unsuspecting people.
Discovered By Reddit Users
Keen-eyed users of Reddit, the US-based social and web discussion forum spotted that the "Update WhatsApp Messenger", available for download in the Google Play store, wasn’t all that it seemed to be.
Clue in Developer Name
The fake WhatsApp was identified because it was made by using a special unicode character called a “Space” instead of an actual space. Concerned Reddit users were then able to take a screenshot of the subtle difference in the developer name and post it on the Reddit forum to alert others.
Although news of the fake app was then quickly circulated among online tech news channels, one million people had already downloaded the fake app.
What Does It Do?
According to tech commentators who have installed and decompiled the app, it is an ad-loaded wrapper (with minimal Internet access / permissions) which contains some code to download a second apk, also called “whatsapp.apk”. The fake app hides itself by not having a title and having a blank icon.
The result for those who have downloaded and tried to use the app is that they receive spam adverts, and are unable to detect and delete the app.
Google Play Fooled, Again
What has shocked and angered many victims and tech commentators is that Google Play was fooled into offering the fake, spamming app as a download. Unfortunately, it’s not the first time that something like this has happened with Google Play. Back in 2015, Google had to block a malicious app submitted to its Play store that spoofed BatteryBot Pro. The fake app was able to send premium-rate text messages, and block people from deleting it.
What Does This Mean For Your Business?
Most people place trust in well-known brands and perceived reliable ‘expert’ sources so, in this case, quite apart from the upset and trouble that the fake app has caused, there has been a sense of shock and anger that consumers were left exposed to risk by the brand platform that they had placed their trust in. Although the obvious advice would be to always check what you are downloading and the source of the download, the difference in the fake app from the real thing (in this case) was so subtle that users (and perhaps Google) could be forgiven for making a mistake.
The fact that many of us now store most of our personal lives on our smartphones makes incidents such as these all the more alarming. It also undermines our confidence in (and causes potentially costly damage to) the brands that are associated with such incidents.
To minimise the risk of falling victim to damage caused by fake apps, users should check the publisher of an app, check which permissions the app requests when you install it, delete apps from your phone that you no longer use, and contact your phone's service provider or visit the High Street store if you think you’ve downloaded a malicious / suspect app.