Meta is attempting to clamp down on rogue WhatsApp-styled applications which originate from China. Bleeping Computer reports that no fewer than one million WhatsApp accounts have been compromised, allegedly as a result of using these apps which are claimed to bundle malware.
The apps in question were available to download from multiple sources, including the developer’s own websites and also the Google Play store itself. After installation, the apps would ask device owners to punch in user credentials, which were then stolen. From Meta’s complaint:
Beginning no later than May 2022 and continuing until at least July 2022, the Defendants…misled over one million WhatsApp users into self-compromising their accounts as part of an account takeaover attack. The self-compromised accounts were then used to send commercial spam messages.
With around one million installs listed on just one app’s installation tally, that’s potentially quite a lot of spam messages. The complaint notes that these allegedly rogue applications were also promoted on Facebook. One bogus app was promoted as being able to “modify other versions of unofficial WhatsApp applications, including modifying the applications’ colours”. Another was conceived as an “app updater”, supposedly telling device owners about new features and updates for the other applications.
When apps go stylin’ and profilin’
The complaint lists several detailed examples of the apps on offer. It’s quite a mixed bag, with no real single theme or unifying styling between them. As far as the spam messages go, they were directed at WhatsApp users worldwide, “including users in Hong Kong, Indonesia, Malaysia, and Singapore”.
There’s a heavy focus on modding, and changing out the basic functionality of WhatsApp. One app claimed to offer: A dynamic theme store; “chat anywhere”; additional privacy settings; backup and restore.
This seems typical of the offerings on display. At least one claimed to be “ad free”, a particularly ironic claim given the accusations of commercial spam being sent out. Unsurprisingly, the 76-page complaint includes multiple examples of bad reviews from unsuspecting Android owners.
According to Bleeping Computer, Meta and Google have worked together to get this one shut down as much as possible. Previously downloaded versions of these apps are now disabled and non-functional via Google Play Protect, with effect from the middle of April.
Avoiding bad apps
Rogues do land on official stores every so often, so “only trust what you see on official stores” is good advice, but not enough by itself. The risk is low, but it is not zero. With this in mind, what else can you do?
- Stick to Google Play and the App Store and don’t install apps from unofficial stores, or websites. While this does indeed place you inside a walled garden, which could still contain something bad, you’ll find the scale of the threat is quite a bit lower.
- Keep your device and apps updated. It’s a lot harder for people to exploit your phone when it’s running all of the latest software.
- Use a mobile security app. (It won’t shock you to learn that we recommend Malwarebytes Mobile Security.)
- Be very wary of fakes, mods, add-ons, or “bonus” apps claiming to be WhatsApp, or related to WhatsApp. You stand a good chance of not getting what you were expecting. The official WhatsApp publisher on Google Play is WhatsApp LLC.
- Use your common sense. Read the reviews, check the app permissions, and be very reluctant to type your WhatsApp password into anything that isn’t WhatsApp.
If you’re looking for additional security tips and more general advice for keeping your mobile safe, check out our “10 ways to protect your Android” article which covers everything from backups to location disclosure. Stay safe out there!