Google removed a rogue version of the WhatsApp Messenger application from Google Play that had been installed by more than 1 million people. A subsequent search by users and researchers revealed that it was one of many similar fake apps hosted on the app store.
Security companies constantly advise users to download apps only from the official app stores for their respective mobile platforms. While generally that’s a good recommendation, this and other past incidents show that malware does sometimes make its way onto Google Play and can be very difficult to spot.
The creators of the rogue WhatsApp version put significant effort into their fake. At first glance, the Update WhatsApp Messenger app appeared as if it indeed had been created by Facebook-owned WhatsApp Inc., but experts later noticed that the publisher’s name had an invisible space at the end written with Unicode characters.
The fake app was first reported Friday by a user on Reddit and was taken down by Google soon afterward. The app then briefly made a comeback under a different publisher and name: “Dual Whatsweb Update.”
Following the report, people on Reddit and Twitter started searching for and finding similar apps on Google Play that masqueraded as well-known and popular applications. Like the rogue WhatsApp, some of the fakes were quite good, reusing the names of legitimate developers with only minor modifications, as well as names and icons similar to those of the impersonated applications.
Other apps were more easy to spot as fake because they used different icons or developer names. But even then, Google Play statistics showed that they had been successful in tricking a lot of people.
Nikolaos Chrysaidos, a security researcher at antivirus company Avast, posted several examples of fake apps on Twitter, including one that was only somewhat similar in appearance to Facebook Messenger yet had been downloaded more than 10 million times.
The rogue WhatsApp application was more adware than malware, displaying ads to users and prompting them to install various other apps.
“The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called ‘whatsapp.apk’,” a user who analyzed the app’s code said on Reddit.
But while this particular app was not exactly malicious, others very well could be. Google has put a lot of effort over the years to prevent malware on the Play store by using automated scans and other techniques. However, attackers repeatedly have found ways to bypass those defenses.
In September, security researchers from Check Point found 50 Android applications with malicious code inside them on the app store. Those apps had between 1 and 4.2 million downloads combined and were silently subscribing victims to paid services and sending unauthorized text messages to premium-rate numbers.
Such incidents highlight the importance of companies enforcing a clear separation between work and personal activities on their employees’ mobile devices. At the very least, such devices should use a capable mobile antivirus product, as relying simply on Android’s native malware detection capabilities clearly is not enough.
Qakbot and Emotet Infostealers Increasingly Hit Corporate Networks
Microsoft has observed a rise in the number of detections for the Qakbot and Emotet computer Trojans over the past few months and warns that these malware programs increasingly are being found on corporate networks.
“Even though these malware families are typically known to target individual online banking users, more and more enterprises, small and medium businesses, and other organizations have been affected by indiscriminate infections,” Microsoft’s malware researchers said in a blog post.
By analyzing the Qakbot and Emotet encounters on computers starting in January until August, the Microsoft researchers determined that 33 percent of Qakbot detections were in large enterprises and 7 percent in small businesses. Ten percent of detections of Emotet were in enterprises and 8 percent in small businesses.
Both Trojans are typically delivered through email attachments—usually Word documents with malicious macros—or through web-based drive-by download attacks that exploit vulnerabilities in browser plug-ins. Once installed on a system, they can download additional modules from their command-and-control servers.
What makes these programs particularly dangerous for corporate networks is their lateral movement capabilities. Both of them can spread through accessible network shares and removable USB storage devices, access shared folders using harvested credentials, brute-force Active Directory accounts and copy and execute themselves on other machines through the Server Message Block (SMB) protocol.
The Microsoft blog post contains recommendations on how to mitigate Qakbot and Emotet infections and stop their spread on the corporate network.