What’s in a name?
A space, as it turns out. Not just any space mind you, a special kind of space known as a non-breaking space. Under normal circumstances the humble non-breaking space character glues two words together so that they can’t be split up at the end of a line. Not so on Google Play.
On Google Play, the marketplace for Android apps, the non-breaking space takes on chameleon-like powers, allowing scammers, chancers and other such ne’er-do-wells to create fake apps and pretend they were made by the authors of the apps they’re mimicking.
At least that’s what happened about four days ago to an app that you and a few billion others might have heard of: WhatsApp.
On Friday 3 November an app called Update WhatsApp Messenger was spotted on Google Play. The app was decked out in all the greenery and speech-bubble-logoed finery you’d expect of a legitimate WhatsApp and, most crucially, it appeared under the developer name WhatsApp Inc. .
Fake WhatsApp Update on #GooglePlay . Under the "same" dev name. Incl. a Unicode whitespace. One Million downloadshttps://t.co/qjqxd6n6HP pic.twitter.com/dmvTksqpuP
— Nikolaos Chrysaidos (@virqdroid) November 3, 2017
Got that? Let me illustrate the point with some quotation marks.
The developer wasn’t the “WhatsApp Inc.” you might be thinking of, the company behind WhatsApp, but “WhatsApp Inc. ” (with an extra trailing space), transient purveyors of knock-off fakery.
The difference is a little more obvious (at least it was to a bunch of diligent Redditors) if you look at those same developer IDs as they appeared in Google Play URLs. URL encoded links for products made by the real WhatsApp Inc. developer contained the name WhatsApp+Inc. whereas links for the sham app contained the name WhatsApp+Inc.%C2%A0.
Yes, that’s correct, the elite hacking technique that allows a guy in his basement to pull the wool over Google’s all-seeing eyes is a space character.
The Redditors who noticed the problem eventually chased the adware disguised as the world’s favourite messaging app off of Google Play, but not before a huge number of people had downloaded it, as Reddit user Sunny_Cakes noted:
It already has 1 million installs lul. For shame google, for shame
This isn’t the first time that Google has been forced to pull apps from Google Play – in August it removed 500 apps that had been downloaded a total of 100 million times between them.
Searching for popular apps on Google Play often shows the app you’re looking for surrounded by a host of imposters. With tricks as simple as copying a logo and adding a space to a developer’s name available to the fakers it’s no wonder.
If you discover a fake app on Google Play, report it to Google. For more insight into the problems of Android malware, download the Sophos 2018 Malware Forecast.
Ian P
The benefit of having dedicated “app stores” was to prevent things like this from happening. If you can’t trust the app stores, then we might as well go back to the wild wild west, when we would download .exe’s from anywhere and take our chances.
Mark Stockley
Things are orders of magnitude better inside app stores than out. The point is that you should never, ever rely on a single layer of security to protect you. Practice defence in depth.
Mahhn
I’ll bet a Dark chocolate snickers bar that google didn’t send out notification to any of the people that downloaded it. If it was a smaller company they would be burning in news media hell for that.
Tracy
With all due respect Mr Stockley, what about the acclaimed Google Play Protect as added protection? I understand if the app was just a fake, hard to spot I suppose, but if the app contained malware then Google’s following claim is so much smoke. How does this **Quoted from Googles own site** make me feel any better?
((All Android apps undergo rigorous security testing before appearing in the Google Play Store. We vet every app developer in Google Play and suspend those who violate our policies. So even before you download an app, you know it’s been checked and approved.))
Kudos to the vigilant Reddit crowd and to you Mr Stockley for a fine article.
Paul Ducklin
Apparently “rigorous security testing” doesn’t include checking whether the company name given by the vendor is bogus. Perhaps after doing all that rigorous analysis of the compiled code in the software package there wasn’t any time left to do a basic string match against the company name?
Tracy
You may have the right of it Mr Ducklin. I dare say that if they are lacking in one area then it is a sound bet that other things fail to get done.It just doesn’t instill confidence in me. Things being what they are, I am quickly becoming Cyberfobic or maybe it’s just old age catching up with me. LOL!
Graham Davey
So what did this fakery do?
Paul Ducklin
AFAIK, it was all about ads – so, not overt malware in the style of ransomware, data stealers or banking Trojans…
…but definitely not anything to do with “adding value” to WhatsApp :-)
laxmi
Whatsapp google