by RSS Dario Durando  |  Nov 08, 2017  |  Filed in: Security Research

Google Play is the primary Android application marketplace. It contains roughly 3.5 million applications. Every day, this number increases thanks to a multitude of talented developers that upload new apps to the platform.

Unfortunately, not all developers have the best intentions in mind. Malicious software is often found on Google Play impersonating innocuous applications (ranging from utility tools to games to system updates.)

Recently, the FortiGuard Labs team noticed that one of the most successful applications on the market, “WhatsApp Messenger” developed by “WhatsApp Inc.”, has been the target of a lot of attention by scammers and criminals alike.

As you can see from the image above, when a user searches for the name of the application, a large number of fake applications pop up in the results. The first and the third results are legitimate, while the others are not.

However, it is clear that these other apps are trying to impersonate the original, from the icon and the name even to the name of the developer.

The developer’s name in these copycat apps is always a variation of “Whatsapp Inc.”, with the addition of some punctuation and spacing. One of them cleverly even uses a different Unicode character to represent the period, making it extremely difficult to spot the difference.

I decided to investigate. What do these applications really do? How is it possible for them to be on the market? How easy it is to upload a malicious application to Google Play that impersonates other legitimate ones?

Here are my findings.

Policy

First, in order to understand how these applications made it to the store, I decided to read the policies that Google makes you agree on before publishing an application.

What I found was interesting.

According to Google Play’s “Developer Policy Center”, apps that “use another app or entity’s brand, title, logo, or name in a manner that may result in misleading users” are not allowed on the store.

The following graphic is used to illustrate this concept:

It is very clear that the applications I found violate this principle.

They should not be allowed to be on the market based solely from their icon, name, and developer which are clearly being designed to confuses users as being a legitimate brand.

Analysis

After discovering this, I decided to take a closer look at the fake applications in the market to check if at least they were providing a similar service, if they were malware, or if they were simply annoying. Over the past month I have noticed that most impersonating applications have a relatively short life span (usually between a couple of days and a couple of weeks), with a low to moderate amount of downloads. However, the ones with the most longevity manage to be downloaded a lot – one in particular was downloaded more than a million times. Unfortunately, I was not able to grab a screenshot of that particular app because right after that ‘milestone’ was achieved it was removed from the marketplace.

Sample 1

Most of these applications also have a large number of positive reviews that do not match the actual behaviour of the app, with text that does barely make senses in either syntax or context. This suggests that these reviews were bought or posted by the developer to boost the rating of the application.

If we go through the reviews, we can also see that many users found this application to be suspicious and fake, and rating it the minimum. However, thanks to the number of fake reviews, it still sports a 4.2/5 rating, which is very high and comparable to the rating of the official version of the app.

I installed the most downloaded copycat application onto a test device to see what it did.

After installing, I could not find the application, and only after reorganizing the app order was I able to spot it. The icon was transparent and had no title. A user would not even notice that this application was installed if they had, like I did, organized the applications by date of installation. Right from the start, it definitely looks suspicious.

The application does not run actual code to imitate the original. Instead, it pretends to download an update for the official application (a procedure that is done automatically by the Google Play Store anyway). It uses a library called startapp.android.publish to display ads at every screen transition, and then it even fails to download anything onto the device. The author likely receives revenue every time an ad is shown to the user, who in return receives nothing but annoyance. Moreover, even the application itself is very poorly made, looking nothing like the original.

This kind of application is the most common impersonator for legitimate apps. An update downloader that in reality generates revenue for the creator, but delivers nothing to the user.

Samples 2 and 3

These next samples again display a large amount of very intrusive overlays, ranging from ads of big brands to redirecting to the download page of other apps on the play store. I grouped them together because their package names - update.app11213 and update.app21153 - look a lot alike, possibly being iterations of a computer-generated name.

Their functioning also seems similar, albeit one being a little more refined than the other. These apps are also predominantly innocuous, but very obnoxious for the user, making them lose time with spamming ads and redirection links to untrusted sites while sharing information about the user to the ad providers. Like Sample 1, they have no icon, and in this case, the potential for malicious activity is also very high. It would take very little to switch one of these links from an ad to something worse, like a download link. And also just like Sample 1, these ads are provided using the startapp.android.publish library.

Sample 4

This final sample is different from the previous in the sense that it actually downloads something and successfully installs it on the device. Even if it advertises as a simple update of the official app, in reality it downloads a modified version of the Whatsapp messenger application, and offers, according to the distributor site, additional features not available on the official release. I cannot say more because it did not work properly on my device. However, it did not display any malicious behaviour. This application probably displays the most dangerous potential of the set, even though it currently displays no malicious intent (apart from downloading a unofficial mod and displaying a bunch of ads as usual.)

The app demonstrates the process of how to install a third party application by allowing unknown sources and then installing the apk manually.

The link used by the downloader could also be easily substituted with a link to a malicious android apk, a banker, or a ransomware, and in that case the user would be completely powerless, and even worse, he would have installed that dangerous software on his/her device himself.

Conclusion

From what I could observe, none of these applications are complying with Google terms and policies about the impersonation of intellectual property. This analysis was done on Whatsapp Inc. product, because at the time of writing of this post it presented the highest number of clones and impersonations. However, this situation is very similar to those faced by many other developers on the Google Play Store. It is not clear if the responsibility falls on Google or Whatsapp Inc. in this specific case. However, what we can take away from this is that users should always be careful when downloading applications, even from official sources like the Google Play Store. Check the permissions used by the app, and always be careful with apps asking to download from unknown sources.

Solution

These samples are detected by Fortinet as Riskware/AndroidFakewhatsapp.

Note: Following some tweets published during the weekend, these applications have been taken down from the Google Play store while the blogpost was under review.

IOC:

Sample 1: 80fe0de24e58eb1c485d55c94d20ffd710fc4b8a05f2c20d9d0d42cabb683fad 
Sample 2: 9c3c61fc222250d030d96316d794050160082980d7c1058b403a04dddedcfe7c 
Sample 3: fed42f25688b310313da4217460fa999b980f325a86971a6e0a9f0327a9567b6
Sample 4: f455599f5043c212e29a62ea3e3c3c14a9ad8ceec998f7ed0aa690ba9dfc328f

-=FortiGuard Lion Team=-

 

 

Sign up for our weekly FortiGuard intel briefs or to be a part of our open beta of Fortinet’s FortiGuard Threat Intelligence Service.

by RSS Dario Durando  |  Nov 08, 2017  |  Filed in: Security Research