Over a million users of Google Play have downloaded a fake WhatsApp application

Fake app on the left, present on the right



It’s quite realistic to register a malicious application in the Google Play catalog and distribute it to a huge audience of Android-smartphone users. This was known before, and now another confirmation: more than a million users have downloaded a fake WhatsApp application from the “protected” and “secure” catalog.



It would download more, but on November 3, 2017, vigilant Reddit users found fake. Of course, after this application was removed from the directory.



The application called Update WhatsApp Messenger itself requested minimal permissions (only access to the Internet), but in fact it is an advertising wrapper for this application, that is, it is an ad wrapper malware.



The screenshot shows that the program is written to autoload.



In the next screenshot below - the program code, which, apparently, is responsible for downloading the real client WhatsApp Android. It is also called whatsapp.apk .







The developers used a clever trick to impersonate the original WhatsApp Inc. As seen in the following screenshot, at the end of the name of the company WhatsApp Inc. Added two bytes: 0xC2 0xA0, which form an invisible space. Thus, it looks like the developer is real.







After installation on the smartphone, the program tries to hide the traces of its existence, It does not have a registered name in the system and a transparent empty icon. In the list of applications, it looks like this:







The malware does nothing particularly malicious on the phone, except for the display of annoying ads. Here are some screenshots of the running program and the update server selection screen: 1 , 2 , 3 , 4 . Judging by the interface, the developers did not use the services of a designer, and they themselves do not have the most perfect taste in terms of the choice of colors for decoration.



Not every user will immediately understand where the advertising on the smartphone screen came from and what program needs to be removed. The application has full rights in the system if the user personally installed it. In addition, this ad wrapper downloaded and installed the real WhatsApp application, so it was not immediately obvious that he himself remained to work in the system.



It can be assumed that the scammers have earned a considerable amount by hoisting such a "trojan" on the phones of more than a million users. If they managed to earn at least a few dollars from the display of banners, then several million dollars are already coming out.



To distribute the program to a million or more Android smartphones is very difficult in a different way, except through the official Google Play catalog. Users naively believe that here they are protected from malware. Google itself in the description of Play Protect antivirus states that “the security of all Android applications is carefully checked before they appear on the Google Play Store. We check every developer on Google Play and block those who violate our rules. So even before downloading the application, you know that it has been tested and approved. ” Play Protect Anti-Virus scans 50 billion applications daily to ensure that there is nothing suspicious about new versions of software after the update.



As you can see, this protection does not cope well with its tasks. At the very least, this ad wrapper managed to avoid detection by Play Protect scanner.



In September 2017, Google specialists talked about the AI ​​system , which is used in Play Protect antivirus. Telemetry from user devices is used to train a neural network: statistics on the number of installations and deletions of programs, program behavior, etc. But the company recognized then that the AI ​​had not yet completed the learning process, although progress was evident. If in the spring of 2017 he managed to correctly determine only 5% of malware from the test sample, then by September the figure had increased to 55%. The developers said that due to Google’s anti-virus activity, the share of Android users for which this or that malicious software was installed was reduced over the year. At the beginning of the year they were 0.6%, and in September - 0.25%. Thus, anti-virus security on Android devices is much better than on desktop PCs, according to Google experts.