Swati Khandelwal for The Hacker News:
Yesterday some users spotted a fake version of the most popular WhatsApp messaging app for Android on the official Google Play Store that has already tricked more than one million users into downloading it.
The app maker added a Unicode character space after the actual WhatsApp Inc. name, which in computer code reads WhatsApp+Inc%C2%A0.
However, this hidden character space at the end of the WhatsApp Inc. would be easily invisible to an average Android user browsing Google Play Store, allowing this dodgy version of the app to masquerade as a product of WhatsApp Inc.
According to Redditors, who first spotted this fake app on Friday, the app was not a chat app; instead, it served Android users with advertisements to download other apps.
What a total shit show. Google removed the app from the Play Store, but not before it was downloaded by one million people. Think about how damaging this could be to the WhatsApp brand. I also wonder how vulnerable this makes Google to a lawsuit.
Google has touted advanced malware scanning as a feature of Android 8.0 Oreo, dubbed Google Play Protect. That’s nice and all, but this protection should be baked in to the Play Store for everyone, not only for operating systems with a .2% market share. Turns out the often-complained about walled garden that is Apple’s App Store has its benefits.