Reddit users yesterday spotted an extremely convincing spoofed copy of the popular WhatsApp messenger on Google Play. The fake was downloaded by more than 1 million users, who instead of a messaging tool wound up with a bundle of ads.
According to Hacker News, the fake WhatsApp was nearly indistinguishable from the real thing thanks to an invisible space placed at the end of the developer’s name.
One of the security hounds discussing the case on Reddit pointed out that this was not an isolated incident, even for WhatsApp. A search for “WhatsApp” on Google Play currently shows no fewer than seven spoof apps using slight variations on the developer name “WhatsApp Inc.”, including versions with extra spaces, asterisks, or commas. All of them have four-star review averages, presumably thanks to industrial-scale subversion of Play’s review system.
Get Data Sheet, Fortune’s technology newsletter.
This is the latest in a long string of incidents in which Google has shown little seriousness in attempting to protect Google Play users. In prior incidents, security experts or unlucky users have encountered malware in compromised messaging apps, in a line of popular children’s games, and even in fake versions of Pokemon Go.
In this case, Google’s failure to protect WhatsApp’s intellectual property has a further dimension – WhatsApp is owned by Google’s primary competitor for online advertising revenue, Facebook.
After attracting unwanted attention, the rogue developer apparently changed the infringing name on their own.
ATLBart on November 5th, 2017 at 14:36 UTC »
I was recently helping a friend with a new phone, when I was about to install WhatsApp, some other application that looked to be WhatsApp came up first.
There was something about it that made me want to take a look, it was obvious that it was something else but the problem was that this fake WhataApp was showing up at the top of top of the list instead of Facebook's WhatsApp.
After seeing this, Im surprised that only 1 million people downloaded this Fake whatsapp.
Swahii on November 5th, 2017 at 14:26 UTC »
I always wonder how these apps get by the security check. When I made an app for a rescue on behalf of them it got flagged that it was copyrighted and was taken down immediately. I had to fill out a bunch of forms proving I was working for the rescue.
Meanwhile exact duplicates can get through the automated security and stay up
_HOG_ on November 5th, 2017 at 14:00 UTC »
1 Million. From which we can probably infer there are many more fake or malicious apps that are under the radar.