Cyber criminals have yet again slipped from under Google’s nose and this time around took the name of one of the most downloaded app on the Android app store. A fake WhatsApp app, with WhatsApp logo and even ‘WhatsApp Inc’ listed as the developer, looked so convincing that over 1 million people downloaded it.

WhatsApp recently rolled out a significant update that allows users to recall or delete sent messages within seven minutes. The app was titled ‘Update WhatsApp Messenger’ to take full advantage of this to cajole the users in to their trap. But at a closer look an alert user would have identified the Install button. If an app is already installed on your phone, the app page always shows update and uninstall button.

The fake app was first spotted by a Reddit user who broke down the code to find out what the app was all about. “The app itself has minimal permissions (internet access) but it’s basically an ad-loaded wrapper which has some code to download a second apk, also called ‘whatsapp.apk.” wrote the user named DexterGenius.

The ‘ad loaded wrapper’ means it would run whenever the original WhatsApp is opened to paste ads all over it. WhatsApp is essentially ads free but probably the app itself doesn’t have immunity to such bugs.

According to the report, the hacker placed invisible characters in the developer name to pass it as a unique name but looked the same as orignal. As per the code, the name of the developer of the app is “WhatsApp+Inc%C2%A0.”, but all characters except W h a t s A p p I n c . don’t show up on the app page – an exploit cunningly used.

The fake app has been taken down from the Play Store, but this only shows Google hasn’t plugged all the holes. It has been making efforts to ‘clean up’ the app store and had even deployed AI algorithms to filter out malware and adware. But looks like this one got off the net.