‘Fleeceware’ Apps Downloaded 600M Times from Google Play

New research shows apps that dupe users into being charged excessively with little reward persist on the Android app store.

Google has made a concerted effort in recent months to try to eliminate bad apps for its Android mobile platform on the Google Play store—something the company historically has battled.

However, fleeceware apps—which trick users into paying excessive amounts of money for simple apps with functionality that’s available free elsewhere—are still getting past Google’s radar in significant numbers, according to security researchers.

These type of apps have been installed nearly 600 million times on 100 million plus devices, according to a Sophos report, which said it pulled the numbers from Google’s own Google Play marketplace.

While researchers are skeptical the high installation numbers reported on Google Play are completely legitimate, they do believe that the download numbers of some of the apps–including a popular keyboard app that allegedly transmits the full text of whatever its users type back to China— are likely on the money.

“As we saw last fall, there were a wide variety of entertainment or utility apps, including fortune tellers, instant messengers, video editors and beauty apps,” researchers wrote in a blog post published Tuesday. “And just like last time, user reviews reveal serious complaints about overcharging, and that many of these apps are substandard, and don’t work as expected.”

“Free Trials” That Come With a Price

Fleeceware appears to be so successful on the Google Play marketplace because it takes advantage of a business model used widely throughout the Play market ecosystem, and among media providers in general, Sophos reported in previous research published in September. That model allows users to download and use apps for a short trial period without paying.

However, when the trial expires, if the user who downloads and installs one of these apps hasn’t both uninstalled the application and informed the app developer that they’re through with the app, the app developer charges the user. This model is similar to “free trial” offers, which put the responsibility of cancelling the services on the user.

Researchers did inform Google that these type of apps were active on the site back in September, and the company did take down the offending apps. However, since then “We’ve seen many more Fleeceware apps … appear on the official Android app store,” Chandraiah wrote.

Refund Runaround

These apps pose a number of annoyances for those getting “fleeced,” researchers said. Not only do they get charged exorbitant amounts of money with very little reward, “there’s little recourse” if they want a refund after realizing they’ve been charged because Google Play Store policies are “significantly less consumer-friendly” than ones from typical U.S. credit-card companies, they said.

Moreover, even users who followed an app’s subscription-model rules to unsubscribe still found themselves charged by the developer, according to negative reviews on the store, he said.

These fees are not just chump change either, the report revealed. While an earlier Sophos report found that fleeceware apps often charge a very large amount attributed to an annual subscription—such as $200 or more that can be broken down into “only” $16.67 per month, for example—the latest research found developers of these apps using more clever and financially damaging tactics.

Sneaky Subscription Ball and Chain

“In the intervening months, some publishers have decided to offer weekly and monthly ‘subscription’ payment options, instead of (or in addition to) annual charges,” researchers wrote. “Sure, it might make the amount look smaller, so users might be less likely to experience sticker shock, but it actually exacerbates the overcharging.”

For instance, in one case, an app that displayed subscription fees of $10 per week, or $27 per month, which work out annually to $521 or $321, he noted.

Researchers posted a list of known fleeceware apps, which they recommended users avoid when downloading from Google Play. They also advised users to be suspicious in general of any apps offering “free trials” and to read the fine print before downloading anything from an app store.

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.