Potentially millions of Android users downloaded a fake WhatsApp app from Google Play Store, in an episode that highlights its enduring and hazardous vulnerabilities.
Over one million Android users were tricked into downloading a fake WhatsApp app from Google’s Play Store, in one of the biggest examples of malicious app deception.
The app — “Update WhatsApp” — remained on the Play Store for some time after discovery, although its developer changed its name to “Dual Whatsweb Update” and switched its icon, so it no longer resembled WhatsApp, after Reddit users alerted the world to the app’s malicious nature.
— Nikolaos Chrysaidos (@virqdroid) October 5, 2017
”The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called ‘whatsapp.apk’. The app also tries to hide itself by not having a title and having a blank icon,” one wrote.
Prior to its makeover, the app almost perfectly mimicked WhatsApp, in a clear attempt to con users.
To dupe users, the malicious developers created an ID almost indistinguishable from WhatsApp’s own, save for the addition of Unicode — known as a “no-break space” — at the end of its name.
— Nikolaos Chrysaidos (@virqdroid) October 11, 2017
App stores are no stranger to malicious apps, but based having been downloaded anywhere between one and five million times, the WhatsApp was one of the most successful ever, although it pales in comparison to the top spot — a fake Facebook Messenger app was downloaded 10 million times.
The scam, like others of its kind, often use fake reviews to boost their visibility — it boasted over 6,000, and its star rating was a high four.
In this instance, fooled downloaders were relatively lucky, as the malicious app merely aimed to create revenue via blasting users with ads. Other fake apps have often aimed to steal user data, or hack users outright — an emerging trend also sees cryptocurrency miners hidden in apps, which use a device’s CPU without permission.
In 2015, IT security giant ESET found a variety of apps on the Play Store that perfectly emulated existing apps, which aggressively targeted users with ads, and employed numerous techniques to evade detection by Google Bouncer, which Google uses to prevent malicious apps from entering the store. In addition, the apps contained self-preservation codes to make removal more complicated.
Similarly, Trend Micro surveyed the top 50 free apps on Google Play, and found 77 percent had fake counterparts. Moreover, every top 10 app in the Google Play category “widgets, media and video, and finance” had fake doppelgangers, 90 percent of “business, music and audio, and weather categories” apps had corresponding forgeries, 70 percent in “games, books and reference, and live wallpapers,” 60 percent in “sports and education” and 40 percent in “medical.”
In all, the group found over one million fakes.
— Anomali (@Anomali) November 3, 2017
Google has attempted to improve the store’s security in order to bring its standards closer in line with Apple, but a significant deficit remains. T
he company has gone as far as to create a “bounty program — Google Play Security Reward — offering accredited security researchers up to US$1000 for every malicious app they identify, although no such inducement is offered to users who merely find and report fake apps.
Nonetheless, despite lagging Apple, the latter tech giant’s app store was revealed in October to be plagued by a devilishly simple vulnerability — the creation of malicious applications that abruptly ask users to enter their Apple ID credentials.
Discoverer, software engineer Felix Krause, noted users often won’t question the legitimacy of an Apple ID password request, making spoofs a very dangerous form of phishing. All an app needs to do is show a UIAlertController popup, an incredibly common part of an app.
— Gary Dower (@GaryDower) October 26, 2017
Krause was able to add fake dialog windows to an app with under 30 lines of code, which he says are “literally the examples provided in the Apple docs, with a custom text.”
However, this was relatively easily circumvented — users simply had to hit the home button if presented with a popup asking for a password. If they could quit back to the home screen, it was not a legitimate request — real system dialogs that ask for passwords are run as a separate process, and can’t be quit in that manner.