Fleeceware scams are raking in the money on the Google and Apple app stores, according to security researchers at Avast. Its latest investigation has uncovered 204 fleeceware apps with over a billion downloads and more than US$400 million in revenue. The apps work by promising a free trial period and then hit the users with heavy subscription charges. Even when uninstalled, most of the apps continue to pop up ads asking for money.
Avast says it has reported all of these fleeceware apps to Google and Apple. However, a quick check of 30 apps in Avast’s list shows that those apps are all still online. That is despite a long list of comments calling them scams and saying people can’t get their money back.
The target market for these apps seems to be mixed. Among the apps are QR code and PDF readers. With many people working from home and needing to scan QR codes when they go out, these apps cause additional concerns. That is because it is unclear what information the apps are taking from users’ devices.
The remainder of the apps include image editors, camera filters, musical instrument app and games. While Avast says this means a younger age group is being targeted, that is not necessarily the case. The pandemic lockdown has seen many people take up new hobbies such as photography and musical instruments. As such, these apps are likely to appeal to a much wider age group.
What is fleeceware?
It’s a scam where the developer offers a very limited trial period and then demands payment to keep using it. Most trial periods are 3-days or less and have extremely limited functionality. In many cases, the free trial requires you to put in your payment details first.
The apps also rely on the subscriber not unsubscribing quickly. But many developers are not responding to cancellation emails. It leaves the consumer with a charge that is almost impossible to reverse. It is also not helped by Apple and Google refusing to get involved. They redirect any complaints to the developer while still banking their share of the sale and in-app purchases.
In its report, Avast commented: “In some cases, users can be charged as much as $66 per week, totalling a ludicrous $3,432 per year. Most of the discovered applications range from $4 to $12 per week, which equates to $208 to $624 per year. It goes without saying that users are extremely unlikely to willingly pay this amount for these applications.”
Fleeceware also hides the app’s true functionality that is unlocked with the subscription. Many apps use in-app purchases to boost functionality and keep the consumer hooked. It is lucrative for the fleeceware developer and the app stores. Maybe this is one reason why it takes a long time for app stores to remove them.
It is not just new apps that are involved in fleeceware scams. Avast highlighted apps that were purchased by users and only later became fleeceware. To do this, the developers disable the app and insist on a subscription. In effect, they are charging the consumer twice. This approach makes it harder for the app store to spot as there is less checking done on app updates than on a new app.
Enterprise Times: What does this mean?
It is easy to dismiss fleeceware as a consumer problem and nothing to do with the enterprise. However, as work from home continues and mobile phones become increasingly important to how people work, that is a mistake. As can be seen, some of the apps will appeal to home workers to help them read PDFs, work with images or scan QR Codes. Others will appeal as they continue to learn new hobbies.
What no enterprise security team can be sure of is what information those apps are also grabbing. To protect users, organisations need to make sure they have access to approved applications on all their devices. They also need to think about how to deal with devices shared by children who are also targets of fleeceware campaigns.
There is also a need for app stores to do better. Both Google and Apple have defended what they charge developers as necessary to run a secure app store. Both are failing. Their processes to detect, remediate and remove these applications is clearly broken. More importantly, the trust with the customers they claim they hold dear appears to be not so dear as long as they get their share of the fleeceware money.
