To avoid malicious apps on Android, do not install anything that comes from outside the Play Store or has few downloads. This security recommendation did not work in the most recent case: a fake WhatsApp was downloaded more than 1 million times from the official Google store.
The trick was well done: the application on Google Play was called “Update WhatsApp Messenger”, had the same visual identity as the original and was created by the developer “WhatsApp Inc.”, exactly the same name as Facebook uses to distribute the legitimate version.
But how did Google allow someone else to adopt the same developer name as the original? In fact, the attacker included a Unicode character that was invisible on Google Play; the name in the link was “WhatsApp+Inc%C2%A0.”, and the Google system apparently understood that this was different from “WhatsApp Inc.”, as shown by the The Hacker News.
The malicious application required few permissions (it just needed to access the internet, after all). When opened, the malware displayed a webpage full of advertisements and attempted to download a second APK, called “whatsapp.apk”, according to a user review of Reddit.
It has already been removed by Google, but the fake WhatsApp fooled over 1 million people who trusted the Play Store and the more than 6,000 Google store reviews, which gave an average of 4.2 stars — pretty close to the 4.4 stars for the real app.
When not even the Google filter Play works, neither Play Protect works nor a popularity analysis and user ratings work, the recommendation to stay safe on Android is: ¯\_(ツ)_/¯