Bogus 'WhatsApp' Chat Client Downloaded 1 Million Times

John Lister's picture

Scammers used a computer code loophole to trick more than a million people into downloading a rogue Android app. The fake variant of WhatsApp appears to have been designed to distribute ads.

The bogus app took advantage of the popularity of the genuine WhatsApp Messenger, which has been downloaded more than 60 million times on Google Play alone. It's a tool for exchanging messages with friends or groups over the Internet rather than eating into SMS text message allowances.

Extra Space Went Unseen

"Update What's App Messenger" was one of numerous bogus apps that tried to mislead users with similar sounding names and logos. The logic seems to be that even if only a tiny percentage of people looking for the real thing are fooled, it still adds up to a large number of victims.

Besides the name and logos, each app listing also contains the name of the developer. In theory the way Google catalogs apps means only one company can use any specific name. Most of the bogus apps use names that are close to the real developer ("WhatsApp Inc.") but the slight difference is at least another sign of a potential scam. (Source: vice.com)

In this particular case, however, the scammers inserted code that generates a space on web pages, meaning the developer appeared to be "WhatsApp Inc. "; as this was the end of the line of text, it's a distinction that is completely invisible to a reader and can only be seen by inspecting the source code. (Source: bbc.co.uk)

Permissions System Has Some Effect

In theory Google could ban developers from using web code (known as Unicode) when setting up an account and choosing a name, instead insisting on plain text characters. The problem is that this would cause problems with languages that don't use the Latin (or 'Western') Alphabet.

One relief is that the scammers were "only" trying to get the rogue app onto phones to display bogus ads and then collect cash from the advertisers. That's because Android's security system means apps need to ask for permission for other actions that could be abused, such as making phone calls or accessing files. Users appear to be getting wiser to refusing such permissions when they look sketchy.

What's Your Opinion?

Can Google do more to stop rogue apps posing as real ones? Does the sheer numbers game mean successful apps will always be the target of look-alike scams? Have you ever been misled by an app or other software download?

Rate this article: 
Average: 5 (3 votes)

Comments

equestrian_colt's picture

About an App called WhatsTablet also know as Tablet for WhatsApp it was the exact same logo as WhatApp and I could had sworn said the exact same developer. However after the news article about WhatsApp I decided to check both of my apps out WhatsApp and WhatsTablet I seem to be lucky, I didn't download the rouge WhatApp. However WhatsTablet was no longer so I went on Google play to see if there was an update or some info, It was nowhere to be found on GooglePlay anywhere. It didn't even show up in my downloaded apps section of Play store but it was still on my tablet. So I went online to look up WhatsTablet and the only info including a very suspicions site was part in English and part in German with no Developer INFO at all. When I first installed WhatsTablet after researching comments I thought it was from the Developer of WhatApp and figured it to be safe since it was on Google play I paid $4.49 to get the adds removed. Now it doesn't work and is no longer on the Play store. So I contacted Google they found this to be very suspicious as well because even they have no developer info or any signs that it existed. But I do have the receipt from paying for the ads to be removed.
I feel the criminals found a new way to steal money by putting their app on Play store making it seem legit and then after they make so much money they pull or get kicked off Play Store and somehow get to keep all the money they made, the app quits working, all their developer info vanishes, and they just ripped off everyone who paid to have ads removed. I wasn't concerned so much about getting my money back as much as I am concerned about letting everybody know that possibly got ripped off, and make aware they have found a new trick to steal your money through Google app store. Google couldn't refund me but like I said I wasn't worried about that.