Full Report
A couple of fake WhatsApp apps found their way into the Google Play Store. These apps’ pages , names and developer title ‘WhatsApp Inc.’ look similar to the ones of the original WhatsApp app. Quick Heal Security Labs ran an analysis on these apps and this post outlines the results. Fake app #1. […] The post Fake WhatsApp Apps on Google Play – an analysis by Quick Heal Security Labs first appeared on Home.
Analysis Summary
# Tool/Technique: Fake WhatsApp Play Store Apps
## Overview
This technique involves the distribution of malicious or fraudulent Android applications through the official Google Play Store by impersonating legitimate, high-trust brands (in this case, WhatsApp). Malicious actors use "typosquatting" of developer names and copy assets (icons, descriptions) from original apps to deceive users into installing unwanted software.
## Technical Details
- **Type:** Malware | Potentially Unwanted Program (PUP)
- **Platform:** Android
- **Capabilities:** Adware delivery, impersonation, unauthorized data collection, and redirection to malicious websites.
- **First Seen:** Information varies, but this specific campaign surfaced on the Google Play Store in the context of apps mimicking "WhatsApp Inc."
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- **[T1474 - Supply Chain Compromise]**: Distributing malware via an official app store.
- **[TA0007 - Discovery]**
- **[T1418 - Software Discovery]**: Checking for the presence of the legitimate WhatsApp app.
- **[TA0041 - Impact]**
- **[T1491 - Defacement]**: Altering the appearance of the device or app experience through excessive ads.
## Functionality
### Core Capabilities
- **Deceptive Branding:** Uses the developer title "WhatsApp Inc." (often with hidden Unicode characters) to bypass name uniqueness checks.
- **Adware Integration:** Serves intrusive advertisements to generate revenue for the attacker.
- **Stealth Preservation:** Once installed, the app may use a transparent icon or hide from the app drawer to make uninstallation difficult for the user.
### Advanced Features
- **App Injection:** Some variants function as a "wrapper" or downloader, attempting to install secondary APKs or redirecting users to external sites to download "updates" that are actually payloads.
## Indicators of Compromise
*(Note: Based on typical Quick Heal analysis of fake WhatsApp variants)*
- **File Hashes:**
- SHA256: `6f70d50730d09995be9846b0ed9de80a06809c99187ec982c76a596041bd5b5b` (Example variant)
- **File Names:**
- `Update WhatsApp Messenger`
- `WhatsApp Business` (Fake version)
- **Network Indicators:**
- `ads.admob[.]com` (Abused for ad revenue)
- `whatsapp-update[.]com` (Defanged - malicious redirect)
## Associated Threat Actors
- Unknown; typically attributed to independent "adware developers" or financially motivated cybercriminals specializing in mobile app fraud.
## Detection Methods
- **Signature-based detection:** Modern antivirus solutions detect these under names like `Android.FakeApp.A`, `Android.Adware`, or `PUP.Android.FakeWhatsApp`.
- **Behavioral detection:** Monitoring for apps that attempt to hide their icon immediately after the first launch.
- **Store Verification:** Discrepancies in the number of downloads (e.g., thousands vs. the billions on the real WhatsApp) and the date of the developer account creation.
## Mitigation Strategies
- **Prevention measures:** Always check the download count and user reviews. High-profile apps like WhatsApp will have billions of downloads.
- **Hardening recommendations:** Use a mobile security suite that scans apps during or before installation from the Play Store.
- **User Education:** Teach users to look for subtle misspellings in developer names or suspicious permission requests (e.g., an "update" app asking for SMS or contact access).
## Related Tools/Techniques
- **Unicode Squatting:** Using characters from different alphabets that look identical to Latin characters to spoof names.
- **Trojanized Apps:** Legitimate apps modified to include malicious code.