It’s always safer to download mobile apps from official stores like Google Play and Apple’s iOS App Store, but even then there’s still some risk that malicious apps have snuck in. You’ve already heard of spyware, adware, and malware writ large, but now there’s another flavor of sketchy app to worry about: fleeceware.
Fleeceware is tricky, because there’s typically nothing malicious in the code of the offending apps. They don’t steal your data or try to take over your device, meaning there’s nothing malware-like for Google and Apple’s vetting process to catch. Instead, these scams hinge on apps that work as advertised but come with hidden, excessive subscription fees. A flashlight app that costs $9 per week or a basic photo filters app that’s $30 per month would both be fleeceware, because you can get the same types of tools for free, or much cheaper, from other apps.
Sophos, the security firm that coined the term fleeceware, found 25 such apps on Google Play in January that had a combined total of more than 600 million downloads. At the beginning of April, the researchers highlighted 30 apps in the iOS App Store that they say fall under the category.
“In our capitalistic society, you can look at fleeceware apps and say if somebody wants to waste $500 per year on a flashlight app that’s up to them,” says Sophos senior security adviser John Shier. “But it’s just the exorbitant price that you’re being charged, and it’s not done aboveboard. That, to me, is not ethical.”
Fleeceware schemes often crop up in the same genres of apps that are used for other mobile scams and attacks. These are generally benign-looking tools like simple photo and video filters and editors, horoscope apps or fortune-telling tools, QR code and barcode scanners, or utilities like flashlights and custom keyboards. The Sophos researchers also suspect that fleeceware developers use zombie accounts to post five-star reviews or inflate their download numbers in Google Play to make their offerings look more legitimate.
Though fleeceware apps don’t grab your data or run ad fraud from your device, they often flout the standards that Apple and Google set for when and how developers can present in-app purchases and subscription fees. Some claim to offer a trial period but will prompt you to pay the first time you open the app. Others say that a subscription will be one amount in most of their app materials, but then actually charge a higher fee at checkout. And the apps also take advantage of users who don’t know how to cancel a subscription to keep charging them long after they’ve deleted the app.
“Fleeceware has been a thing for a while now using different techniques,” says Thomas Reed, an Apple security researcher at the system-monitoring firm Malwarebytes. “The App Store supports trial periods where you sign up for a subscription, and it’s free for a while, but then charges you if you don’t cancel before the end of the free period. It postpones the credit card charges in hopes the user won’t know what they are later.”
Reed points out that some iOS fleeceware apps a couple of years ago tricked users into confirming something that looked minor using Apple’s TouchID but actually approved a payment behind the scenes. Apple has since banned this type of bait and switch.
In spite of Apple’s and Google’s rules around in-app purchases, fleeceware developers can still lure people into making purchases through their Apple and Google accounts, or even just collect their credit card information directly without oversight. Sophos researchers say that many of the fleeceware apps they saw last fall charged an annual subscription, but that scammers are increasingly moving to monthly or weekly payments. That’s likely an attempt to reduce sticker shock, enable fraudsters to charge more over time, and try to make the payments blend in with the other streaming services and legitimate app subscriptions people already have.