To avoid malicious applications on Android, do not install anything from outside the Play Store or which has a few downloads. This recommendation of the security did not work in the most recent case: a WhatsApp fake came to be downloaded over 1 million times in the official store from Google.
The trick was well done: the app on Google Play called “Update WhatsApp Messenger” had the same visual identity of the original and was created by the developer “WhatsApp Inc.”, exactly the same name that Facebook uses to distribute the version legitimate.
But as the Google has allowed another person to adopt the same developer name as the original? In fact, the attacker has included a Unicode character that was invisible on Google Play; the name on the link was “WhatsApp+Inc%C2%A0.”, and Google’s system apparently understood that it was different from “WhatsApp Inc.”, as shown in the The Hacker News.
The malicious application required a few permissions (it just needed to access the internet, after all). When opened, the malware had a web page full of advertisements and tried to download a second APK, called “whatsapp.apk”, according to the analysis of a user of Reddit.
It has already been removed by Google, but the fake WhatsApp tricked more than 1 million people who have relied on the Play Store and in more than 6 thousand evaluations of the Google store, which showed an average of 4.2 star — well next of 4,4-star app true.
When neither the filter from the Google Play works, nor the Play Protect works and not an analysis of popularity and evaluations on the part of the user works, the recommendation to stay secure on Android is: \_(ツ)_/