{"id":10361,"date":"2017-11-08T10:10:19","date_gmt":"2017-11-08T18:10:19","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/08\/news-4134\/"},"modified":"2017-11-08T10:10:19","modified_gmt":"2017-11-08T18:10:19","slug":"news-4134","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/11\/08\/news-4134\/","title":{"rendered":"Phony WhatsApp used Unicode to slip under Google’s radar"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Wed, 08 Nov 2017 17:13:12 +0000<\/strong><\/p>\n

After a troubling week for Google<\/a> not so long ago, the company is under the spotlight once more for missing another app that, after further investigations by several members of Reddit<\/a>, was found laden with adware.<\/p>\n

This app, which was called “Update WhatsApp Messenger,” used the logo and\u00a0developer name\u00a0of the\u00a0real\u00a0WhatsApp app\u2014two elements that a user familiar with the app expects to see. However, the developer name for this bogus app had an extra space at the end, so it looked like this:<\/p>\n

WhatsApp, Inc.{space}<\/em><\/code><\/p>\n

To\u00a0aid users in realizing this deception, Redditor Megared17 posted snapshots<\/a> of a code section belonging to the real WhatsApp and the fake app to compare the two. We have reproduced\u00a0the shots below for your convenience.<\/p>\n

\"\"<\/p>\n

That bit in the box is the percent coding equivalent of a blank space, which translates to U+00A0, the Unicode value of a\u00a0no-break space<\/a>. Although this is something our normal eyes may have a difficult time spotting, many decried that Google’s scanner should have quickly picked this up.<\/p>\n

\n

Read: Out of character: Homograph attacks explained<\/a><\/em><\/p>\n

\n

Once downloaded and installed,\u00a0Redditor Dextersgenius pointed out<\/a> that “Update WhatsApp Messenger” hid from users by “not having a title and having a blank icon,” which he then supplemented with screenshots that we also reproduced below.<\/p>\n

\"\"<\/p>\n

From Dextersgenius’s testing, they also pointed to a piece of code<\/a> that indicated this bogus app appears to access a hardcoded\u00a0bit.ly<\/em> shortened URL that presumably\u00a0downloads an update APK named whatsapp.apk.<\/em>\u00a0Upon closer inspection, however, the bit.ly<\/em> URL led to another shortened URL\u2014this time Google’s URL shortener, goo.gl<\/em>\u2014that then led to a Google search result for a WhatsApp Messenger APK file.<\/p>\n

\"\"<\/p>\n

Essentially, users are told to “Look for the APK file from these search results. It’s got to be in one of them!” No updates are sent to the phones at all, so they’re just left with a PUP\u00a0app.<\/p>\n

“Users need to be more vigilant,” advised Armando Orozco, Lead for the Mobile Protection Team at Malwarebytes. “If they want to update WhatsApp, they need to use the update mechanism in the Play Store app, not a secondary app.”<\/p>\n

Apart from reading app reviews for any reports of questionable behavior, it also pays for users to check the link to the developer of the app, which might have helped catch\u00a0“Update WhatsApp Messenger” and possibly lessen the number of affected devices.<\/p>\n

Stay safe!<\/p>\n

Other related post(s):<\/p>\n