Fake WeChat App Exposes Security Flaws: From Reverse Engineering to Criminal Conviction

On March 18, 2020, China’s judicial documents portal published a criminal judgment involving Hangzhou Tihu Network Technology Co., Ltd., which developed an unauthorized WeChat client for feature phones to enable text and voice chat with official WeChat users.

Users of low‑end “feature phones” began encountering illegal advertisements within this fake WeChat, prompting complaints that the software was not an official Tencent product but a cracked version that broke the encrypted communication protocol.

Tencent’s investigation identified Tihu as the developer and reported the matter to public security authorities in April 2018.

Four of the company’s partners and engineers, all holding at least bachelor’s degrees, were detained and only then realized that creating an unlicensed WeChat client constituted a crime.

Because the official WeChat could not run on memory‑constrained feature phones, a market demand emerged for a compatible version. Unauthorised developers reverse‑engineered the official client, extracting data structures and encryption algorithms, and produced a “fake” WeChat that was pre‑installed or offered via icons linking to Tihu’s servers.

Two Shenzhen technology firms helped distribute the fake client to multiple manufacturers, updating the software through their servers.

Testimony from a Tencent security employee confirmed that the cracked client could communicate with Tencent’s servers using forged encrypted packets, threatening the integrity of the communication system and potentially endangering payment data.

Forensic analysis of a Tianyi cloud server’s WeChat database extracted over half a million login records and tens of thousands of user entries, providing evidence of the scale of the illegal operation.

The court sentenced Lu, Song, and two others to ten months’ imprisonment with a one‑year suspended sentence and fines of RMB 80,000 each; two defendants received no criminal punishment.

Experts later clarified that the fake client functions only as a “plug‑in” that cannot monitor or hijack other users’ data, but it underscores the need for stronger anti‑tampering and reverse‑engineering protections in official apps.