Google just can't keep scammers out of the Play store.
More than one million people downloaded a fake WhatsApp application last week, but that was just the tip of a dirty iceberg, according to security researchers who've been warning about the problem for years. And in the last year alone, Google has seen apps that look very much like the real thing - from WhatsApp to Facebook, Instagram and many more - but are in fact frauds looking to make a quick buck for the developer.
While the fake WhatsApp (now removed by Google and the developer banned) is believed to have reached the most downloads for such a copycat this year, according to security experts crooked developers have found their way onto the market all too often.
Fooling Google with 'clever characters'
And they're particularly fond of making copies of WhatsApp. Going back to 2013, security firm Eleven Paths was warning about a fake WhatsApp that contained adware (software that draws views and clicks for ads, thereby making developers pushing the advertisements money).
Eleven Paths security researcher Sergio de los Santos said that whilst Google has patented tech to improve detection of rogue apps, the fraudsters have found new ways to get their software on the official market, and thereby guarantee better download rates.
The hottest trick right now is startlingly simple: the use of blank spaces and Unicode characters to make the developer name and titles look like the legitimate ones. "This is Google's problem and it is hard to believe they allowed this," he said.
Others have noticed Google is being duped with such creative use of characters. Last month, a fake Instagram was spotted by ESET security researcher Lukas Stefanko on Google Play with same app and developer name (along with the same icon) as the real application. But there was one crucial difference, the developer's name started with a small letter. "Based on what happened we can assume that Google probably doesn't have any app name, developer name or icon checks for newly uploaded apps," Stefanko added.
Google doesn't seem to have acted on the issue, despite last week's trouble; shortly after the 1 million-download counterfeit was taken down, more appeared from a developer with the same name, said Stefanko.
— Lukas Stefanko (@LukasStefanko) November 5, 2017
Alongside adding fake reviews to their apps, the developers have also limited their creations' malicious functionality, so that Google's automated code scanning tools will believe them to be legitimate. Back in 2013, and up to 2015, the fakes were more aggressive, pilfering personal data and in some cases demanding a ransom, said de los Santos. But looking at fake apps today, they no longer ask for excessive permissions, instead pushing ads and in some cases asking for a simple donation via PayPal. It's a subtler way of making money by duping folk searching the Play market.
According to de los Santos, the developers behind the range of rogue WhatsApp tools have, so far, achieved about two million downloads in total. "Anything related with WhatsApp moves huge numbers in Google Play."
Who's behind the scams? There are some references in the slew of fake WhatsApps to Jombang, a regency of East Java, Indonesia, de los Santos noted. He also found that they were created somewhere in the GMT+7 timezone, again indicating a possible link to Indonesia. "But attribution is tricky, we should not trust it," he cautioned.
A more severe threat coming?
Stefanko is more concerned about those who're going to exploit the current gaps in Google security to upload more dangerous apps to the store. As an example, just over a year ago, he found a fake Facebook Security Checkup application. It attempted to steal users' Facebook login information, though it was swiftly removed from the Play market.
"What I am more concerned about is [developers] uploading fake banking or financial apps with really similar icons, app and developer names, either using whitespaces or Unicode characters in the name," he added.
Google, for its part, said it was continuing to roll out smarter technology to find bad apps earlier. But as it continues to make improvements to its review system, Google still relies on the community of users and developers to flag apps for further checks, a spokesperson added.
A tried and tested approach, no doubt. But some members of that community are continuing to question whether Google really is doing enough.