Google’s app store was infiltrated by a fake WhatsApp application late last week that more than 1 million people downloaded.
According to a news report in Forbes, citing security researchers who have been warning for years about the prevalence of fake apps in Google’s app store, there have been many apps that look similar to the real thing, but are indeed fraudulent. The fake WhatsApp was the most downloaded of the many copycat apps that made it into Google's app store this year, as developers seem to prefer making copies of that app, and have been doing so since 2013.
Eleven Paths security researcher Sergio de los Santos told Forbes that while Google has patented technology to improve detection of rogue apps, the bad guys have found ways around it. A popular trick is using blank spaces and Unicode characters that make the developer and titles of the apps look legitimate.
Other security experts have told Forbes that Google is also being tricked by developers who are being creative with characters. One example cited was a fake Instagram app that ESET security researcher Lukas Stefanko spotted on Google Play. The app has the same name and developer name as the real one, but the developer’s name started with a letter that was smaller than the original.
“Based on what happened, we can assume that Google probably doesn't have any app name, developer name or icon checks for newly uploaded apps,” Stefanko said.
The rogue developers are also making the apps look legitimate by adding fake reviews, and have limited the malicious actions so that Google’s automated scanning tools can’t pick it up, noted the report.