About 204 different “fleeceware” applications with a combined billion+ downloads have raked in more than $400 million in revenue so far, via the Apple App Store and Google Play, analysis has revealed.
Fleeceware apps generally offer users a free trial to “test” the app, before commencing automatic payments that can be exorbitant. In an analysis from Avast released on Wednesday, some of those subscriptions can reach $3,400 or more per year. And often, users are charged even after they’ve deleted the offending application.
“These applications generally have no unique functionality and are merely conduits for fleeceware scams,” said Avast researcher Jakub Vávra, in the posting. “While the applications generally fulfill their intended purpose, it is unlikely that a user would knowingly want to pay such a significant recurring fee for these applications, especially when there are cheaper or even free alternatives on the market.”
The company found that most of the offending apps (which were flagged to Apple and Google for review) are musical instrument apps, palm readers, image editors, camera filters, fortune tellers, QR code and PDF readers, and something called “slime simulators,” which allow users to play with virtual goo. Clearly, many of these apps are marketed towards children. Unfortunately, parents often only figure out the source of the charges weeks or months later, according to the research.
“It appears that part of the fleeceware strategy is to target younger audiences through playful themes and catchy advertisements on popular social networks with promises of ‘free installation’ or ‘free to download,'” Vávra said. “By the time parents notice the weekly payments, the fleeceware may have already extracted significant amounts of money.”
3-Day Free Trials
Most of the apps that Avast discovered are offering a free three-day trial, according to the research. After that, the models vary. Most of the apps charge between $4 to $12 per week, which equates to $208 to $624 per year; but others charge as much as $66 per week, totaling $3,432 per year.
Avast also found several applications that were previously free or only required a one-off fee to unlock features; now, they have converted to charging expensive weekly subscriptions, with or without users’ knowledge.
Vávra noted that most of the apps are spreading via normal advertising channels, such as Facebook, Instagram, Snapchat and TikTok.
“As these applications are not considered malware and are available on official app stores, they also have access to official advertisement channels to spread the fleeceware scheme,” he noted. “Due to this scheme’s lucrative nature, the actors are likely investing substantial amounts of money to further propagate these apps via popular platforms.”
Once the user clicks on an ad (which usually features a video of the app that doesn’t match its actual features), the person is redirected to the app’s profile, usually featuring a four or five-star review average.
“The app profile looks official and doesn’t raise red flags at first sight,” the researcher said. “However, upon closer investigation, it becomes apparent that a big portion of the reviews are fake (they contain repeating text or are poorly-worded and generic in nature). There is reason to believe this form of review boosting is becoming a more prominent practice.”
Uninstalling Doesn’t Help
The worst part might be the quasi-permanent state of the “infection.” Vávra pointed out that both Google and Apple state that they aren’t responsible for subscription refunds after a certain time period, leaving victims with the app developers themselves as their main recourse.
“As evidenced by reviews, the developers can simply choose to ignore the users or claim the user’s knowledge about the subscription fee and refuse to refund the victims,” he said. “Several developer profiles that our team discovered provided links to discontinued websites or contact forms. All in all, it appears there is very little that victims can do in these scenarios other than contacting their bank and requesting a chargeback.”
The good news is that Google surfaces a notification prompt that warns users of active subscriptions for uninstalled apps; and Apple asks users whether they want to keep subscriptions when a user uninstalls an app. But there’s much more to be done, according to Vávra. For instance, apps could be required to ask for another confirmation before paying money for the actual subscription once the free trial is over. And, Apple and Google could remove and filter out fake and automated reviews.
Persistent App Scourge
For now, it’s likely this scourge will stick around. In January, Sophos research uncovered that these type of apps have been installed nearly 600 million times on 100 million plus devices, just from Google Play alone.
“The data is startling: With nearly a billion downloads and hundreds of millions of dollars in revenue, this model is attracting more developers and there is evidence to suggest several popular existing apps have updated to include the free trial subscription with high recurring fees,” Vávra said. “Unfortunately, this endeavour can be lucrative even if a small percentage of users fall victim to fleeceware.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)