WhatsApp 320px
WhatsApp 320px

A fake WhatsApp application that was downloaded one million times from the Google Play Store was observed advertising a malicious game app that infects users with secondary malware capable of click fraud, data extraction, and SMS surveillance.


Initially discovered by Reddit users on the 3 November, and subsequently investigated by Zimperium's zLabs research team, the phony Android WhatsApp program, named “Update WhatsApp Messenger,” exhibits prototypical ad fraud behavior.


Upon installation, the app is difficult to find because its developer – deceivingly named “WhatsApp Inc. ” with a non-breaking space at the end – set an empty app_name value and designed the icon to appear transparent, according to a blog post from Zimperium malware researcher Matteo Favaro. Still, if the user can find it and launch it, the malware begins displaying various advertisements for additional apps, which if clicked upon sends the users back to the Google Play Store in order to install them.


One such ad is for a game called Cold Jewel Lines, which looks similar to a Candy Crush-type app. Even though the game was found to fully work, it was by every definition a malicious APK capable of communicating with a command-and-control server, performing ad-autoclicking activities, exfiltrating device data, parsing and extracting information from received SMS texts, and possibly executing other malicious payloads and shell commands.


According to Zimperium, the malware can extract such sensitive data as the IMEI (International Mobile Equipment Identity) number, IMSI (international mobile subscriber identity) number, Android UUIDs (Universally Unique Identifier), operator, Wi-Fi network, MAC identifier, manufacturer, root status, and user agent.


Researchers also learned that the malware's C&C server is linked to the domains alfa-aaa.site and ex2cloud.xyz seem.


Google removed Cold Jewel Lines from its Play Store on 21 November, one day after Zimperium disclosed the malware to the company. The WhatsApp update was apparently also removed earlier that month.