Fake WhatsApp listing draws over one million downloads from the Google Play Store
Using a Unicode "white space," the developer of the fake was able to make it appear as though WhatsApp Inc. was the developer, copying the developer title used on the real WhatsApp app. Google does not allow apps that impersonate a title or logo. Using the Unicode white space tricked Google's computerized security into thinking that the developer name was different than the one listed on the legitimate WhatsApp app. The public, however, couldn't see the Unicode symbol (the developer name on the fake was really listed as WhatsApp+Inc%C2%A0) and was thus fooled into thinking that the spoofed listing was created by the exact same developers responsible for the legitimate Google Play Store listing.
While the intent of the fake app was to create revenue for the developer by posting ads, the same tactic could have been used to steal personal data from the more than one million people who signed up for the app. Nikolaos Chrysaidos, a security researcher at anti-virus company Avast, says that this kind of spoofing has been done many times before. He mentioned a fake Facebook that was downloaded ten million times.
Google continues to try and rid the Play Store of such fake apps. The battle continues.
source: Motherboard via PCMag