Early last week, over one million people were fooled into downloading a fake application via the Google Play Store. Masquerading as popular messaging software WhatsApp, the hoax serves as a reminder of Google’s troubles in keeping malware-infected apps out of its mobile app store.

This particular scam was concealed as a WhatsApp update from a rogue developer who posed as the messaging service by using the same title as the official developer. Using Unicode, the developer was able to add a character space after the WhatsApp developer title, making it virtually indistinguishable from the official app’s name. Rather than serving as an update for the popular chat app, the software was filled with advertisements for other apps — an effective way for fraudulent developers to make money from revenue generated by clicks and views.

This incident reinforces the insecurity of Google’s Play Store, which has been rife with malware-related issues for a long while. For example, September saw Android malware “ExpensiveWall” spread across over 50 apps in the Play Store. Downloaded between 1 and 4.2 million times before removal, the hidden malware secretly registered victims of the scam for paid online services, sent fraudulent text messages from smartphones, and left users to pay the bill. All of this could occur without the knowledge of the victim.

While autonomy is the linchpin of Android’s ethos, its sheer size makes it a challenge to regulate. This is how malicious apps continually fly under the radar of Play’s defences. In response to pervasive malware threats, Play introduced its bug bounty program in October alongside its existing screening methods, where people who assist in identifying and reporting bugs may receive up to $1,000 in rewards.

In the meantime, remain vigilant when using the Play Store. Make sure to check your app permissions, read reviews of apps you are thinking of downloading, and consider installing a third-party malware scanner. Stay smart, stay switched on.