If you recently downloaded the Android version of WhatsApp from the Google Play marketplace, you might want to be sure it's the real thing.
Credit: Kevin Beaumont
Redditors on Friday discovered that a fake WhatsApp program available in Google Play had been downloaded more than 1 million times before Google took it down. The app, officially known as Update WhatsApp Messenger, had a Google Play page with the same look and feel as the real Facebook-owned WhatsApp.
It was even developed by someone who chose the name "WhatsApp Inc.," to make people think it was a legitimate program. (The developer name added a couple of invisible characters after "Inc.," thus fooling Google's not-so-intelligent "machine intelligence" app screener.)
When users booted up the app, they found a chatting interface. However, the real focus was on serving those users ads. That in itself is more annoying than dangerous, although the app's code could have been tweaked to inject malware directly or lead users to websites that might try to do the same.
According to one Redditor who took apart the app, it ditches the title and icon to try "to hide itself" and keep attracting users.
Facebook's WhatsApp, with a purported 1 billion daily active users, is one of the most popular chatting applications in the world, allowing users to send everything from text and video to audio to others. WhatsApp also includes encryption technology to allow users to communicate with other people without worrying too much about an unauthorized person peering in to see what the discussion is about.
How to Avoid Fake Apps
When looking at any app listing on Google Play, be sure to see if the name matches the actual name of the app. If there's an extra word or character tossed in, chances are it's not the real thing.
You might also want to read the app description to ensure it lists the features you'd expect. Some of the fake apps also have fake icons, which can be a giveaway. If you know an app should cost something, but you see it listed as free, be very suspicious.
One of the best ways to ensure authenticity is to just to go to the website for the app developer and click on the Google Play download link there. Most developers deliver you right to the correct page on Google Play.
In the event you mistakenly download a malicious app, delete it immediately, report it to Google and consider writing a negative review on the Google Play page to alert other users. App reviews are often times a good place to determine whether an app is real or not.
You should also make sure "unknown sources" is turned off as a download source in your Android device's security settings. This restricts you to the Google Play store; it's arguably an unfair restriction as Amazon's Android app store is just as safe, but it prevents dodgy websites from trying to install apps on your phone.
Part of a Bigger Issue
The fake WhatsApp app is bad enough, but it highlights a bigger problem in the Google Play marketplace.
Security expert Kevin Beaumont on Sunday shared a screenshot on Twitter showing a simple search for "whatsapp" in Google Play. The results returned a slew of apps that appear to come from Facebook and WhatsApp but are actually fakes aimed at scamming users.
"This is a small number of the WhatsApp apps," Beaumont tweeted.
He added that only one of those in the lineup isn't malware or fake. How or why all those fakes got past Google's much-ballyhooed Bouncer app screener is something that Google needs to answer.
Untill Google gets its act together and hires humans to start screening Android apps, it's best to run third-party Android antivirus apps. (The built-in Google Play Protect is simply not ready for prime time.)
As this phony WhatsApp app has been removed from Google Play, we can't tell you whether any antivirus app would have blocked it. But in general, third-party Android security apps have less tolerance for dodgy behavior than Google itself does.