Hacker Lexicon: What Is Fleeceware, and How Can You Protect Yourself?

Sneaky developers are charging big bucks for basic apps. Here’s how to spot a scam in sheep’s clothing.

It’s always safer to download mobile apps from official stores like Google Play and Apple’s iOS App Store, but even then there’s still some risk that malicious apps have snuck in. You’ve already heard of spyware, adware, and malware writ large, but now there’s another flavor of sketchy app to worry about: fleeceware.

Fleeceware is tricky, because there’s typically nothing malicious in the code of the offending apps. They don’t steal your data or try to take over your device, meaning there’s nothing malware-like for Google and Apple’s vetting process to catch. Instead, these scams hinge on apps that work as advertised but come with hidden, excessive subscription fees. A flashlight app that costs $9 per week or a basic photo filters app that’s $30 per month would both be fleeceware, because you can get the same types of tools for free, or much cheaper, from other apps.

Sophos, the security firm that coined the term fleeceware, found 25 such apps on Google Play in January that had a combined total of more than 600 million downloads. At the beginning of April, the researchers highlighted 30 apps in the iOS App Store that they say fall under the category.

“In our capitalistic society, you can look at fleeceware apps and say if somebody wants to waste $500 per year on a flashlight app that’s up to them,” says Sophos senior security adviser John Shier. “But it’s just the exorbitant price that you’re being charged, and it’s not done aboveboard. That, to me, is not ethical.”

Fleeceware schemes often crop up in the same genres of apps that are used for other mobile scams and attacks. These are generally benign-looking tools like simple photo and video filters and editors, horoscope apps or fortune-telling tools, QR code and barcode scanners, or utilities like flashlights and custom keyboards. The Sophos researchers also suspect that fleeceware developers use zombie accounts to post five-star reviews or inflate their download numbers in Google Play to make their offerings look more legitimate.

Though fleeceware apps don’t grab your data or run ad fraud from your device, they often flout the standards that Apple and Google set for when and how developers can present in-app purchases and subscription fees. Some claim to offer a trial period but will prompt you to pay the first time you open the app. Others say that a subscription will be one amount in most of their app materials, but then actually charge a higher fee at checkout. And the apps also take advantage of users who don’t know how to cancel a subscription to keep charging them long after they’ve deleted the app.

“Fleeceware has been a thing for a while now using different techniques,” says Thomas Reed, an Apple security researcher at the system-monitoring firm Malwarebytes. “The App Store supports trial periods where you sign up for a subscription, and it’s free for a while, but then charges you if you don’t cancel before the end of the free period. It postpones the credit card charges in hopes the user won’t know what they are later.”

Reed points out that some iOS fleeceware apps a couple of years ago tricked users into confirming something that looked minor using Apple’s TouchID but actually approved a payment behind the scenes. Apple has since banned this type of bait and switch.

This image may contain Electronics, Computer, and Pc

Everything you ever wanted to know about Equifax, Mariott, and the problem with social security numbers.

In spite of Apple’s and Google’s rules around in-app purchases, fleeceware developers can still lure people into making purchases through their Apple and Google accounts, or even just collect their credit card information directly without oversight. Sophos researchers say that many of the fleeceware apps they saw last fall charged an annual subscription, but that scammers are increasingly moving to monthly or weekly payments. That’s likely an attempt to reduce sticker shock, enable fraudsters to charge more over time, and try to make the payments blend in with the other streaming services and legitimate app subscriptions people already have.

Google announced two weeks ago that it is tightening its requirements so developers have to make details of subscriptions, free trials, and introductory offers more clear. Google is also taking steps to mandate better transparency about managing and canceling subscriptions.

“Part of improving the subscription user experience comes from fostering a trustworthy platform for subscribers; making sure they feel fully informed when they purchase in-app subscriptions,” Google product manager Angela Ying wrote in a blog post for developers about the changes. App makers have until June 16 to comply with the new policies in their existing apps on Google Play.

Similarly, Apple’s guidelines for developers explicitly prohibit unreasonable pricing, bait-and-switch subscriptions, and scams.

“While pricing is up to you, we won’t distribute apps and in-app purchase items that are clear rip-offs. We’ll reject expensive apps that try to cheat users with irrationally high prices,” Apple says in its notes to developers. Apple and Google take a 30 percent cut of an app’s revenue the first year, making the companies unwitting beneficiaries of fleeceware hauls.

To avoid fleeceware, try to rely on apps from prominent developers. Keep in mind that big tech companies already offer most basic tools and utilities like emojis, selfie filters, and QR code scanners for free. You can always do a quick web search to price compare if you’re not sure about something more niche. And if you’re worried that your past signups might be a bit out of control, Android and iOS both offer centralized lists of the subscriptions they manage for you. Keep in mind, though, that subscriptions you’ve set up independently won’t be listed here.

On iOS go to this page or open Settings, tap your name, and then tap Subscriptions to view and manage everything. You can also open the App Store, tap your initials in the upper right corner, and tap Subscriptions.

On Android, open the Play Store, tap the hamburger menu icon in the upper right and choose Subscriptions to view and manage your signups.

Fleeceware is sneaky, but if all else fails, Sophos’ Shier has one other tip for protecting yourself. “Do the arithmetic,” he says. “Check if functionality that you could get for a one-time $1.99 cost or for free now costs upward of $500 per year.” If that’s what the calculator shows, something is definitely wrong.

All Rights Reserved for Lily Hay Newman

One Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.