More than one million people were tricked into downloading a fake Android app that was pretending to be WhatsApp.
The app was called "Update WhatsApp" and is still on the Play Store, although the developer has now changed its name to "Dual Whatsweb Update" and switched the icon, which doesn't look like the WhatsApp icon anymore. But before its facelift, the app mimicked WhatsApp in a clear attempt to trick users into downloading it thinking they were downloading an update for the popular messaging app, according to users who reviewed the app on the Play Store, and users on Reddit, who flagged the malicious app.
This is not the first time someone tries to deceive Android users with fake, malicious apps. The Google Play Store has long been mired by these kind of apps. But based on the number of downloads, this fake WhatsApp app is one of the most successful ever.
"Wow that *is* a lot....jeez!" Stephen Ridley, a security researcher who was one of the co-authors of the Android Hacker's Handbook, told in a Twitter direct message.
"These things are not getting enough scrutiny [...] why wouldn't an app that has a huge number of downloads receive a little additional security scrutiny," Ridley added in a subsequent phone call.
Nikolaos Chrysaidos, a security researcher at anti-virus company Avast, said that the fake WhatsApp app was used to create revenue through ads. Chrysaidos has spotted a few similarly malicious apps, such as a fake Facebook Messenger app that he said was downloaded 10 million times.
The app's developer did not respond to a request for comment. A Google spokesperson also did not immediately respond to a request for comment.
It looks like in this case, the people who got fooled by the fake app got lucky, as the app's goal was just to create advertising revenue. But hackers can use the same techniques—spoofing legitimate apps and sneaking them onto the Play Store—to hack victims. In the last couple of years, Google has made significant improvements in an attempt to close the gap with Apple and iOS in terms of security. But until the company does better at cleaning up the Play Store, users will be vulnerable.
"We see SO many fake copies and fraudulent apps," Mike Murray, who works at mobile security firm Lookout, told Motherboard. "It's always going to be a cat & mouse game between the bad guys and the good guys."
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at email@example.com, or email firstname.lastname@example.org
Get six of our favorite Motherboard stories every day by signing up for our newsletter.