A fake WhatsApp listing on the Google Play Store drew over one million installations from Android users before Google removed the app from the store. Google also suspended the developer for violating Google's policies. Luckily for those who did install the app, the only thing it did was push ads for other apps. Reddit users blew the whistle on the app yesterday as Google apparently didn't spot the fake. The spoof used the name "Update WhatsApp," and included the WhatsApp logo to make it appear as though the phony was an official update to the very popular messaging app.

Using a Unicode "white space," the developer of the fake was able to make it appear as though WhatsApp Inc. was the developer, copying the developer title used on the real WhatsApp app. Google does not allow apps that impersonate a title or logo. Using the Unicode white space tricked Google's computerized security into thinking that the developer name was different than the one listed on the legitimate WhatsApp app. The public, however, couldn't see the Unicode symbol (the developer name on the fake was really listed as WhatsApp+Inc%C2%A0) and was thus fooled into thinking that the spoofed listing was created by the exact same developers responsible for the legitimate Google Play Store listing.

While the intent of the fake app was to create revenue for the developer by posting ads, the same tactic could have been used to steal personal data from the more than one million people who signed up for the app. Nikolaos Chrysaidos, a security researcher at anti-virus company Avast, says that this kind of spoofing has been done many times before. He mentioned a fake Facebook that was downloaded ten million times.

"We see SO many fake copies and fraudulent apps. It's always going to be a cat & mouse game between the bad guys and the good guys." - Mike Murray, Lookou