Fake Plants vs Zombies and other Android games infiltrate Google Play store, make money for fraudsters

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Is Google doing a good enough job of policing apps in the official Android app store?

It seems not, judging by the number of bogus apps that continue to be made available for public download from Google Play, exploiting the name and reputation of legitimate games in an attempt to make money for fraudsters.

For instance, take a look (but I suggest you don’t install) the apps made available by an Android app developer called “abbaradon”:

Some of the bogus apps in the Google Play store

Sign up to our free newsletter.
Security news, advice, and tips.

There are some pretty well known games listed there, including “Plants vs Zombies” and “PES 2012” (Pro Evolution Soccer).

Fake Plants vs Zombies

The real Android version of “Plants vs Zombies”, developed by Electronic Arts, costs a few dollars, and has had thousands of reviews.

However, Abbaradon’s version is free, and has some fine print tucked away at the end of its description in the Google Play store:

Plants vs. Zombies Free! Please leave only positive feedback. If you have any support questions - please send us email. This is a Amazing puzzle specially for game fans.

Creating an app takes time and money, In order to keep creating great (and free!) apps, we are using a new search service to monetize our apps. With this service we are able to create more great apps for you guys. This option bundles a few search points (icon, bookmark and homepage) for you to use. You can erase these easily and with no effect to our app. Thanks!

The app itself isn’t Plants vs Zombies at all. It’s a simple jigsaw puzzle-type app, that uses an image from the game.

Fake Plants vs Zombies game - it's really a sliding jigsaw puzzle

And it’s not just Abbaradon. SophosLabs has seen scores of similar bogus apps, trying to make money out of unsuspecting users, in the last couple of weeks. Google tries to stamp out the rogue developers, but they simply return with a new name and start uploading their fake apps again.

So, what happens if you run one of these apps?

In the screenshot below you can see what happened when we ran a fake version of PES 2012.

App's privacy policy

The program admits that it is ad-supported, may display adverts in apps and your Android device’s notification tray.

Furthermore, they say they will collect information about you – including your email address and phone number – if you click on any of the adverts, and pass it onto third parties.

And all you wanted to do was have a free game of football..

But it doesn’t stop there, the app is also going to change your browser’s home page, add a bookmark, and add icons to your device’s home screen. All of this is designed to earn money for the app developer.

The apps reveal how they are monetized

Sure enough, a couple of search icons have been added to the Android home screen alongside the icons for the games we’ve downloaded.

New icons added by bogus Android apps

Clicking on the icons leads to search engines, such as Moberium.

Moberium

Various advertising frameworks are being used by the apps, including Apperhand, Clicxap, Airpush and Startapp – presumably earning money for the developer who is bandying around apps on the Google Play store, pretending that they are free versions of popular games.

Google doesn’t take kindly to app developers duping users in this way – and so the developers are using different certificates, different names, and ensure that their packages are heavily obfuscated so they do not look alike.

Although it’s easy for a human analyst to determine that the apps are doing similar things, it seems that Google’s automated systems are finding it a far harder job to weed out these fake money-making apps from their Android app store.

Sophos detects the bogus apps as Andr/NewyearL-B.

Android malware is a growing problem, with rogue apps even making their way into the official Google Play store. Last year, for instance, we talked about how one reader downloaded what he thought was an official Android version of the Legend of Zelda game, only to be bombarded by pop-up notifications and adverts.

If you think it’s time to protect your Android smartphone or tablet against the increasing number of threats, check out our free Android anti-virus app.

Thanks to SophosLabs researcher Vanja Svajcer for his assistance with this article.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.