Fake WhatsApp Updater on the Google Play Store was Downloaded Over 1 Million Times, Served Malware Through Ads

The Google Play Store is a little more open than its competition, such as the iOS App Store. With the uploading of applications being so cheap, a free SDK to work from and a very high application acceptance rate, the Google Play Store is much more attractive to indie developers. This further opens the platform, a key characteristic of Android, yet this comes with drawbacks such as malware being found on multiple different occasions on the Android default app store.

Recently, a fake WhatsApp updater application on the Google Play Store, published by “WhatsApp Inc. ” (with the trailing whitespace character at the end) was downloaded over a million times,. What’s more is that it served malware through an advertisement for an application on the Google Play Store titled “Cold Jewel Lines”. The application’s main purpose, however, was to make the creator ad revenue through ad click fraud.

Therefore, if you’d like to update your application from outside of the Play Store and make sure the upgrade you received is official, keep the older version installed and install the update over it. If you have the old version of the app from the official developer, the application won’t actually upgrade unless it has been signed by the same key which only the developer of the application should have access to. This ensures the integrity of the application you’ve installed and means it should be safe from third-party intrusion.

Fake WhatsApp Updater on the Google Play Store

Back to the application, there are two main issues, ignoring the obvious that it serves up an obscene amount of advertisements to the user without actually updating WhatsApp on the device.

The first issue is a direct criticism of the Google Play Store, in that an application should not be able to be published under the same name as an official one. Simply adding a whitespace character at the end was enough to fool the basic security design of the Play Store.

Secondly, the actual name of the application itself is suspect. “Update WhatsApp Messenger” should never have been let through the screening process of allowing an application on the Google Play Store, even if the process itself is extremely lenient in what’s allowed through. The package name of the fake WhatsApp updater application (“whyuas.fullversion.update2017”), suggested absolutely no relation to WhatsApp itself.

Once installed, it was hidden from the app launcher by way of an empty app_name (in the AndroidManifest.xml file) and a transparent ic_launcher.png file, the application icon. This meant that the application takes up an extra space in the device’s launcher, but is otherwise invisible. This application can be easily seen in the device’s settings, under “Apps”. The type of user to install this fake application is unlikely to be the one to enter this menu, however. A video of the application in action is shown below, along with a debugging window connected to the Android emulator.

As can be seen, the application firstly brings the user to the “Cold Jewel Lines” application on the Google Play Store, which houses the malware the researchers over at Zimperium found. After the user is brought here (and assumedly installs the application), we are then brought back to the fake application where a few download servers are shown. Nearly every tap serves a new ad to the user and purposefully tries to get the user to tap them accidentally. What’s more, the application never even brings a user to a WhatsApp update page. This application has minimal permissions, with only a network permission requested.

Cold Jewel Lines – An Android Malware

cold jewel lines google play store fake whatsapp updater

A screenshot of the now removed “Cold Jewel Lines” application.

This application is much more malicious than the fake WhatsApp updater mentioned above, and that’s because of the operations it conducts, outlined below. This application has the package name “en.cold.jewel.th.lines”.

  • Opening a communication channel with a C&C server waiting for commands;
  • Execute Ads-autoclicking activities;
  • Exfiltrate sensitive information from the device;
  • Parse and extract information from received SMS;
  • Possibly execute other malicious payloads (e.g. exploits);
  • Possibly execute shell commands to extract additional data;

The application was investigated using the Frida framework and the Xposed framework. We all know what Xposed is, but what is the Frida framework? The Frida framework is for reverse engineering programs on Windows, macOS, GNU/Linux, iOS, Android, and QNX. A user can inject their own JavaScript scripts into applications, which the researchers used initially to log communication between the application and the server hosted by the attackers. The researchers later ported their program to Xposed due to incompatibilities with Frida and Cold Jewel Lines.

On the first launch of the application, it downloads an APK file and begins its communication sequence. The researchers used this to find an API key which then communicated to a server to install an APK which further increased the capabilities of the malware application installed. They logged communications of the application between it and the host server and found that while the potential to execute sudo terminal commands on the device existed within the application, this functionality was never accessed. Other functionality not accessed also included silentMode, server and download commands. silentMode disables the application for a set period of time received from the server, server is a command send to the application to change the server address for future commands and the download command is expected to be used for downloading any other files provided by the server.

If you want to read the full report, you can check that out down below. This is a summarised version focused on explaining the main points, and you will learn more about the methodology of testing and other information found out about the application at the Zimperium research blog.

Zimperium Research Blog