I saw this in my Twitter feed last night and got a chance to look at it today, but the long awaited Android Plants vs Zombies 2 is still not out; however, some scamware that’s one letter off of the name is available. One of them is kind of interesting and calls itself Plant vs Zombies 2. After you download it, it directs you to rate it five stars in the Play Store, and then tells you to go and download another game.
This is bad because the vast majority of people rating it five stars realize it’s a scam, but don’t realize that their five star ratings of the app stay on unless they remove them and give other people suggestions about what to download. According to some reviews, it plants an icon that claims it’s an essential networking service in your app drawer to keep you from deleting it.
Meanwhile, the ratings sit there forever giving five stars to an application that solely exists to get you to download a different application. It’s a pretty interesting scheme. And while the name is ever so slightly different, the screenshots the developers are using to entice people into downloading the thing appear to be out of Popcap’s Plants vs Zombies 2 for iOS.
What’s pretty sinister about this thing are the permissions:
Your locationapproximate location (network-based)precise location (GPS and network-based)Network communicationfull network accessview network connectionsview Wi-Fi connectionsconnect and disconnect from Wi-FiPhone callsread phone status and identityStoragemodify or delete the contents of your USB storageSystem toolsaccess extra location provider commandsinstall shortcutsuninstall shortcutsread Home settings and shortcutstest access to protected storageBookmarks and Historywrite web bookmarks and historyread your Web bookmarks and historyYour accountsfind accounts on the deviceAffects Batteryprevent device from sleepingcontrol vibrationYour applications informationrun at startupclose other apps
These permissions give the application the ability to change your browser favorite pages, change your browsing history to plant websites, read your browsing history to send to the publisher of the scamware, kill any other apps it wants, run at startup, find your exact location, wipe your storage, download any materials it wants – pretty much you’re giving it permission to do just about anything.
So, when you hear about thousands of Android users getting busted running child pornography web servers on their phones in a couple of months, well… OK, perhaps’s that’s the extreme of what’s possible with these permissions, but it’s not particularly far fetched.
Always read the permissions. On an unrooted device, the app can only do what you allow it to do, and in this case it’s pretty absurd. Hopefully Popcap will submit a DMCA request, as there doesn’t appear to be the option to report scamware on the new Play Store.