Phishing isn't hacking. That's just taking advantage of idiots who hit OK on everything.
When something asks for high-level permissions like that and doesn't need them, you should have 10 kinds of alarms going off in your head screaming "SCAM! FAKE! PHISHING!"