David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.

EXECUTIVE SUMMARY:

The present-day Android and iOS threat landscape is dominated by two strains of malicious code: adware and spyware. The former deluges devices with annoying advertisements, and the latter tries to steal sensitive data behind a victim’s back. As if these ploys were not impactful enough, one more type of predatory mobile software has recently made its debut and is keeping security analysts on their toes. It is called fleeceware.

Unlike mainstream malware oldies, fleeceware apps do not harm devices, nor do they pose an immediate risk to users’ personally identifiable information. Instead, they bait victims with short-term free trial offers and then overcharge them via expensive subscriptions.

Upon rudimentary examination, this scheme does not seem to be at odds with garden-variety app marketing practices out there. Numerous developers take a free trial route to attract potential audiences. However, in the case of fleeceware, there is a subtle difference hidden in plain sight.

Throughout the entire app promotion cycle, would-be victims remain clueless regarding the fact that the “free ride” will end with a fee that’s automatically withdrawn from the credit card tied to the individual’s Apple App Store or Google Play account. Most users do not read the fine print, such as the terms of service, only to get on scammers’ hook at the end of the day. To top it off, there are no in-app or email reminders about an upcoming paid subscription in most scenarios.

A serious concern is that both Google and Apple give most of these dubious products the green light to be uploaded to their official software portals. That is because these apps do not exhibit malicious behavior, and the tech giants’ automated checks do not flag them as harmful.

By and large, the biggest problem is that fleeceware makers are not fair and square about their subscription model. If a user uninstalls the app before the free trial expires, but forgets to cancel the subscription in their account settings, the payment will get through anyway.

Inner workings of the fleeceware economy – taking a closer look

Researchers have recently checked the Apple App Store and Google Play for instances of fleeceware, and their findings are eyebrow-raising. The white hats came across more than 200 of such apps, with the total number of downloads exceeding a billion.

According to rough estimates, these products have earned their makers at least $400 million. In some cases, the post-trial subscription fees reach $66 per week, which means that unsuspecting users are bilked of well over $3,000 annually. The vast majority of these apps siphon off less money, though – their weekly prices range from $4 to $12.

The reasonable question is, what makes so many people lose vigilance and install these rogue entities? Malicious actors stay abreast of hype trains and create simplistic apps that fit the current trends. The top categories of fleeceware discovered by  analysts were QR code scanners, image editors, fortune tellers, musical instrument apps, PDF readers, and slime simulators.

While delivering no unique functionality compared to alternatives, these utilities mostly do what they are supposed to and do not cause any adverse effects on mobile devices or on users’ data. However, people would think twice before installing them if they knew about the upcoming charges, especially when many counterparts on the market have a more appealing price tag, and some are completely free with no strings attached.

Another thing that makes this foul play so lucrative is that fleeceware operators mainly zero-in on kids and teenagers through eye-catching promo materials on social media sites, such as Instagram, Facebook, and TikTok. These ads emphasize the “free installation” part of the marketing mantra and omit the caveats. Young users are easier to manipulate and less likely to go the extra mile canceling subscriptions.

If a person gets interested and taps the intriguing advertisement, they are forwarded to the app’s profile on the official marketplace for Android or iOS devices, depending on the manufacturer of the visitor’s smartphone. The profile is usually full of four- or five-star reviews, many of which are clearly bogus as they contain repetitive text and have a similar writing style.

These fake feedback elements occupy the whole review feed and thus eclipse real comments of dissatisfied users. The abundance of misleading reviews makes it problematic to make an informed decision and fuels the hugely controversial business model.

Stopping the hoaxes at the app store level

As the fleeceware problem escalates, it would be great if Google and Apple stepped up their efforts to keep users from falling victim to these scams. Both services currently display a subscription cancellation prompt whenever a person is uninstalling an app that has a valid subscription. This mechanism is certainly welcome, but the above statistics show that it is not enough.

Another effective countermeasure would be to require an extra confirmation that the user actually wants to pay to continue using an app after the free trial ends. With this scheme in place, the app’s features would be put on hold until the person expressly accepts the subscription terms and knowingly makes a payment.

As an additional layer of protection, software marketplaces should enhance their anti-fraud algorithms to pinpoint and flush out phony reviews. As previously mentioned, numerous dummy feedback items obscure real reviews on app profile pages and cause people to make wrong decisions.

Also, greater transparency about in-app purchases would be beneficial. Software developers should communicate this information to users in an explicit way rather than obfuscating it underneath unclear messages and cumbersome settings.

How to steer clear of fleeceware?

The fact that fleeceware per se is not malicious is both good and bad news. Whereas it does not harm a mobile device in any way, it does not raise any red flags when assessed by app stores’ security instruments. As a result, these products are available on the official trusted software marketplaces.

With Google and Apple having difficulties detecting various scams, the prevention is mostly up to the user at this point. The following tips will help you avoid these growingly prolific rip-off schemes.

  • Treat short-term trial offers with caution. Most fleeceware apps ensnare users with attractive three-day free trials without clearly mentioning what happens next. If you come across a product that promises an evaluation period of less than a week, take a closer look. Also, find out all the details of subsequent pricing beforehand.
  • Scrutinize the terms of service. Take your time to read the information on the app’s profile, including the terms regarding in-app purchases. Although the real subscription price is typically mentioned somewhere below the fold, you will find it if you look carefully.
  • Read more than a few reviews. Since fleeceware authors try to flood their app profiles with fake reviews to keep genuine ones out of sight, make sure you scroll down and read as much user feedback as you can. If vanilla-looking five-star reviews at the top are followed by one-star reviews further down, you are probably dealing with a scam.
  • Beware of super-catchy ads on social networks. In many cases, fleeceware promotion hinges on misleading video ads that do not have much to do with the app being marketed. Refrain from engaging with such advertisements.
  • Look for alternatives. If you think the subscription price is blown out of proportion, look for counterparts that provide similar features. Many of these rogue apps are copycats of other products that are less expensive or free to use.
  • Improve your payment hygiene. Configure your app store purchases to require additional verification through your password or biometrics. This will prevent unwanted subscription charges from flying below the radar.
  • Discuss the issue with your kids. With young users being the primary targets of fleeceware frauds, be sure to talk to your children about the risk. Explain what giveaways to watch out for and why these apps do not belong on their devices.

Summary

The impact of fleeceware goes beyond defrauding users of money. This dodgy phenomenon undermines trust and discourages victims from dealing with official application portals further on. As a result, mobile software makers who play by the rules will ultimately take a hit. With the issue gearing up for a rise, app stores need to prioritize the implementation of more effective techniques to unveil and filter out these scams.

RELATED ARTICLESMORE FROM AUTHOR