The original Plants vs. Zombies game enjoyed a lot of popularity back then when PopCap Studios released it on the iOS in 2010, and on the Android in 2011. Now, with the approaching release of its sequel (soft-launched in New Zealand and Australia), cybercriminals have already begun taking advantage of the hype.
The first trickle of threats came at around July 16, 2013. We discovered a survey scam website, hosted by Blogger, and linked from a YouTube video page. The website was found to be a typical survey scam with no malware tied to its bait.
More PvZ2-related threats popped up in our radar after that. Up to July 22, we discovered no less than seven of them in Google Play alone, either as a fake app download or a ‘downloader’ for the app itself. One of them was detected to be a fake app that pushed malicious ads to the user. This is detected as ANDROIDOS_FAKEZOMB.A. We expect to find more in the coming days.
Google has been commendably quick in handling the threats found in Google Play, however. As of this writing, all of the fake apps have been stricken from the site itself, and the fake ‘developers’ offering them up for download suspended. Similar scams and frauds have also been found to be suspended within 24 hours of being put up in the app market.
The existence of these threats and the social engineering behind them is nothing new – we’ve reported incidents such as these in the past, with them targeting games like Candy Crush, Bad Piggies and Temple Run. But what’s to take note here are the patterns emerging with each fake app download scam we see in Google Play. These are:
- The usage of popular, up-and-coming sequels to high-profile game apps already available in the iOS App Store but not yet in Google Play
- The fake apps asking for 5-star ratings and reviews before they could be ‘played’
- The fake apps are free of charge, in contrast to the legitimate apps which cost money
The first two are self-explanatory – they are designed to make the app more attractive for users to download. The third could also be considered as a similar tactic, but there is another reason for this – and that’s due to app developers needing to register a Google Wallet account first before they can set their app as a paid app, a compulsory rule in Google Play’s set of policies and agreements. This could be construed as cybercriminals trying to avoid having their fraudulent developer accounts to be traced back to them.
This could mean that Google could possibly make the Google Wallet registration compulsory for all developers wishing to release apps on Google Play. This can serve as identification and proof of legitimacy for legitimate developers, and also a deterrent to cybercriminals.
Android may still be plagued with malware, but Google is certainly stepping up their efforts in helping combat its continuous rise. However, users should not become complacent, as the safety of their mobile devices is their main responsibility as owners. The standard rules of safe app downloading still applies – only download from verified first-party sources. Avoid sideloading or downloading from suspicious ‘developers’ or unauthorized parties.
For more information about the latest on mobile threat and security, you may visit Mobile Threat Information Hub. Trend Micro Mobile Security Personal Edition also provides protection for your Android device by detecting malicious and high-risk apps.
Additional analysis by Paul Pajares, Karla Agregado, Veo Zhang and Yang Yang