Reddit users yesterday spotted an extremely convincing spoofed copy of the popular WhatsApp messenger on Google Play. The fake was downloaded by more than 1 million users, who instead of a messaging tool wound up with a bundle of ads.
According to Hacker News, the fake WhatsApp was nearly indistinguishable from the real thing thanks to an invisible space placed at the end of the developer’s name.
One of the security hounds discussing the case on Reddit pointed out that this was not an isolated incident, even for WhatsApp. A search for “WhatsApp” on Google Play currently shows no fewer than seven spoof apps using slight variations on the developer name “WhatsApp Inc.”, including versions with extra spaces, asterisks, or commas. All of them have four-star review averages, presumably thanks to industrial-scale subversion of Play’s review system.
Get Data Sheet, Fortune’s technology newsletter.
This is the latest in a long string of incidents in which Google has shown little seriousness in attempting to protect Google Play users. In prior incidents, security experts or unlucky users have encountered malware in compromised messaging apps, in a line of popular children’s games, and even in fake versions of Pokemon Go.
In this case, Google’s failure to protect WhatsApp’s intellectual property has a further dimension – WhatsApp is owned by Google’s primary competitor for online advertising revenue, Facebook.
After attracting unwanted attention, the rogue developer apparently changed the infringing name on their own.
