Plant vs Zombies 2I saw this in my Twitter feed last night and got a chance to look at it today, but the long awaited Android Plants vs Zombies 2 is still not out; however, some scamware that’s one letter off of the name is available. One of them is kind of interesting and calls itself Plant vs Zombies 2. After you download it, it directs you to rate it five stars in the Play Store, and then tells you to go and download another game.

This is bad because the vast majority of people rating it five stars realize it’s a scam, but don’t realize that their five star ratings of the app stay on unless they remove them and give other people suggestions about what to download. According to some reviews, it plants an icon that claims it’s an essential networking service in your app drawer to keep you from deleting it.

Meanwhile, the ratings sit there forever giving five stars to an application that solely exists to get you to download a different application. It’s a pretty interesting scheme. And while the name is ever so slightly different, the screenshots the developers are using to entice people into downloading the thing appear to be out of Popcap’s Plants vs Zombies 2 for iOS.

What’s pretty sinister about this thing are the permissions:

Your location
approximate location (network-based)
precise location (GPS and network-based)
Network communication
full network access
view network connections
view Wi-Fi connections
connect and disconnect from Wi-Fi
Phone calls
read phone status and identity
Storage
modify or delete the contents of your USB storage
System tools
access extra location provider commands
install shortcuts
uninstall shortcuts
read Home settings and shortcuts
test access to protected storage
Bookmarks and History
write web bookmarks and history
read your Web bookmarks and history
Your accounts
find accounts on the device
Affects Battery
prevent device from sleeping
control vibration
Your applications information
run at startup
close other apps

These permissions give the application the ability to change your browser favorite pages, change your browsing history to plant websites, read your browsing history to send to the publisher of the scamware, kill any other apps it wants, run at startup, find your exact location, wipe your storage, download any materials it wants – pretty much you’re giving it permission to do just about anything.

So, when you hear about thousands of Android users getting busted running child pornography web servers on their phones in a couple of months, well… OK, perhaps’s that’s the extreme of what’s possible with these permissions, but it’s not particularly far fetched.

Always read the permissions. On an unrooted device, the app can only do what you allow it to do, and in this case it’s pretty absurd. Hopefully Popcap will submit a DMCA request, as there doesn’t appear to be the option to report scamware on the new Play Store.