Android game steals WhatsApp chats and offers them for sale
If you’re new here, you may want to subscribe to the RSS feed, like us on Facebook, or sign-up for the free email newsletter which contains computer security advice, news, hints and tips. Thanks for visiting!
An Android game has been removed from the official Google Play store after it was found to be secretly stealing users’ WhatsApp conversation databases, and offering them for sale on an internet website.
Balloon Pop 2
The game, Balloon Pop 2, is nothing to write home about – but behind its simple exterior lies the ability to scoop up private conversations that you may have made via WhatsApp on your Android device, and upload them to a website called WhatsAppCopy.
Code from Balloon Pop 2
The attacker can then visit the WhatsAppCopy website, enter the phone number of the Android device they are targeting, and (for a fee) access the private conversations.
Install the game, find your phone, read your conversations
FREE Try it, it works!
The WhatsAppCopy website openly advertises the BalloonPop2 game as a way of “backing up” a device’s WhatsApp conversations.
Of course, the people behind the website and the BalloonPop2 game would probably argue that they are providing a legitimate service to people who want to create a remote backup of their WhatsApp conversations, and it’s not their fault if the game is misused by people trying to snoop on other people’s privacy.
Balloon Pop 2 and WhatsAppHowever, if that were really the site’s intentions, wouldn’t it be appropriate if a big fat unavoidable warning message was displayed before the game did its dirty deed – giving users the option to realise what was occurring and opt out if they wanted?
Google clearly takes a dim view of the app, as it has now removed it from the official Google Play Android app store.
But, of course, it’s quite possible that the app will be widely distributed via unofficial stores – and future versions could be distributed using other disguises than a balloon-popping game.
Clearly, there are a few lessons to be learnt here.
One is that just because an app is in the official Google Play store, it cannot necessarily be trusted. Google, unfortunately, has a pretty poor record in policing its Android app store. This isn’t the first time that a dodgy app has been found up there, and it won’t be the last. Google, can you please get your act together? Your chairman’s claims that Androids are more secure than iPhones are laughable.
At least Apple has tight reins over the programs which make it into the iOS store for iPhones and iPads.
Second, WhatsApp needs to get better at security. If Android is going to allow apps like BalloonPop2 to scoop up users’ private conversations, then maybe WhatsApp (and similar programs) need to do a better job of encrypting those conversations on the device itself.
Security researchers at McAfee tell me that they are adding detection of the offending BalloonPop2 application as Android/Ballonpoper for their customers, and I imagine other vendors will follow in due course.
Instituto Internacional de Seguridad Cibernética
International Institute of Cyber Security