Over a million Android users may have been duped into downloading a fake WhatsApp product on Google Play, thanks to a character space.
A sneaky app maker pretended to be the actual WhatsApp service with an app called Update WhatsApp Messenger. But it copped the developer title “WhatsApp Inc.”—the same title the actual Facebook-owned chat messenger uses on Google Play.
The only difference was the app maker added a Unicode character space after the WhatsApp Inc. name. In a computer code the difference is more obvious—it reads WhatsApp+Inc%C2%A0. But to average Android users browsing Google Play, that character space would be easy to miss.
Reddit users spotted the problem on Friday. The dummy app was not a chat app, but served users with ads to download other apps. As Motherboard noted, Avast researcher Nikolaos Chrysaidos pointed out that it was downloaded at least 1 million times.
The dummy app’s developer is unknown, but the culprit later changed the name of the app to “Dual Whatsweb Update,” and removed the “WhatsApp Inc.” developer title. It has since been removed from Google Play.
“I can confirm that the app was removed from Google Play and the developer account was suspended for violating our program polices,” a Google spokesperson said Friday.
Fake Android apps are nothing new, and they’re often used to spread malware on mobile phones. But the WhatsApp dummy product incident is worrisome because it doesn’t appear that Google noticed the problem. Google Play rules don’t allow apps to impersonate another brand title or logo. In addition, the company has been using new security measures to prevent malware from entering the platform.
Hackers have used similar tricks, like using Cyrillic alphabet letters in the place of English letters, to create legitimate-looking domain names.