A new App in Google store named ‘Balloon Pop 2’, is seemingly innocent game that is actually recording user’s WhatsApp calls and publishes them on a website called WhatsAppCopy where anyone can put a phone number and watch the full transcript of the conversation.
This is not the first time Android malware creators exploit the Google Play platform, spreading malicious applications in disguise of games, therefore it is highly recommended to be caution even when you install applications from the official Google app store.
One of the scenarios in which such an application can get onto a device is by children who receive the device from their parents in order to play, and then download applications without distinction. Many parents allow their children to install applications on their device and when children see a colorful app it attracts their attention and they install it without thinking.
Moreover, the app can reach a device in ways far less innocent. We must not ignore the scenario where someone with access to our device, physical or remote, wants to track our WhatsApp calls and installs the App without our notice.
To avoid such scams, the following guidelines are recommended:
1 .Make sure you read the permissions that the app requires before you install it – there is no reason to assume that it’s OK for a game to have access to our calls. If the permissions the application requests look suspicious – Do not install it.
2. Ask the children to play with the games that are already installed on the device – so you can make sure they play safe games you already checked. Ask them to inform you if they want to download any new app, so you can make sure it is safe before they install it.
3. Do not leave your device alone – even if you’re in the office or at the neighborhood coffee shop. Someone can just install an app on your device while you go to the toilet or make yourself a coffee.
4. Set your device to automatically lock itself when it is not in use. If you accidentally leave your device alone, at least it will be impossible to install something on it…too easily that is.
5. Make sure your Google password is strong enough. All Google services, whether e-mail, storage or app store run by this same password, which means that if someone gets your password he could install applications on your device directly from Google Play. Therefore be sure to choose a strong password, and change it every once and a while and even consider using Google’s two-stage verification mechanism.