As much as Google has tried to prevent malware from being uploaded to its official Play mobile application store, the company has kept tripping up—with almost alarming regularity in recent months.
The latest incident involves a fake version of the WhatsApp instant messenger for Android that was downloaded at least 1 million times over the past few days before Google removed it Sunday after learning of the issue from Reddit readers.
The ad serving application was disguised to appear like a WhatsApp update and was one of several fake WhatsApp versions that users have reported finding on Google Play in recent days. On Nov. 5 a security researcher from Avast Antivirus posted a screen shot on Twitter of what appeared to be icons for as many as eight fake WhatsApp versions on Google Play.
In an emailed statement Nov.6, a Google spokesman said the WhatsApp version, which was downloaded over one million times, has been removed from Google Play. The developer account from which the fake app was uploaded has been suspended for violating the company’s terms of service, the company said.
The discovery and removal of the fake WhatsApp software is the latest in an increasingly embarrassing string of incidents where outsiders have found rogue applications on Google’s Play—supposedly the most secure source for Android applications.
In mid-October Symantec reported finding at least eight malware infested Android apps on Google Play that had been downloaded by as many as 2.6 million users worldwide. At least five other security vendors have made similar disclosures so far this year.
Over the past two years Google has implemented multiple automated measures to scan applications for malware before they can be uploaded to Google Play. The company has implemented software for identifying and blocking malicious apps running on Android devices and policies for vetting developer identities and blocking those with previous violations.
In October Google launched a new bug bounty program which it is offering up to $1,000 in rewards for certain types of bugs in Android apps. The measures have not been enough to stop rogue developers from uploading malicious applications to Google Play.
In the latest incident, the developers simply used what are known as Unicode characters and blank spaces to fool Google Play’s name check systems into believing the fake application was genuine.
The developer was basically able to sneak the fake software into Play simply by making it appear that the app had the identical name and icon and was from the same developer as the real WhatsApp app. In this particular case, the rogue application was relatively benign since it just served up advertising, but the outcome could have been different if the payload had been more dangerous.
Several users posting on Reddit wondered how Google Play defenses could allow such a simple tactic to work. “Their system doesn’t even make the most basic checks,” a user posting as JBWalker1 said on Reddit.
Ordinarily, when an application is uploaded that appears to be identical to a popular app, it should be flagged for manual review and not be made available for immediate download, JBWalker1 noted.
In its statement, Google said all apps submitted to Google Play are automatically scanned for potentially malicious code. The company also has a new app review process to catch policy offenders earlier in the process, the company said. “But as we continue to make improvements to our review system, we still rely on the community of users and developers to flag apps for additional review.”