Beware of fleeceware

Remember how Pulp Fiction hitman Vincent Vega wanted to try a milkshake simply because it cost a whopping $5? That’s a completely normal reaction — many people automatically associate high price with some extraordinary quality. So, if they can sample an expensive product free, even those who don’t plan to buy are interested. Some smartphone app developers take advantage of this human trait.

Fleeceware apps entice Google Play and App Store users with a free trial period, and then charge them for a paid subscription even when uninstalled

The cost of curiosity

In late September, infosec researchers found a collection of calculators, QR code scanners, photo enhancers, and other programs with basic functionality on Google Play at clearly inflated subscription prices of up to €200 per month. The apps had been downloaded by tens of millions of people, if not more.

Users were promised a three-day trial period. Realizing that subscribing to such apps would be pointless, many users uninstalled them. But they were still charged.

How did this happen? First, victims had to provide the apps with their payment details the first time they tried to run the apps — without this, the apps wouldn’t even start. This enabled the greedy apps to charge for subscription without asking for user consent.

Second, uninstalling the app from the device is not the same thing as unsubscribing. This makes some sense — it prevents you from losing, say, your playlists in a music player app if you delete it by mistake, restore the device’s factory settings, or use the app on a new phone. However, many don’t know about this particular nuance. And even those who do sometimes forget to cancel subscriptions, which is what fleeceware writers feed on.

Not technically malware

You might ask why such apps were allowed onto Google Play in the first place. Alas, technically these “gilt-edged” calculators and QR scanners do not violate the store’s rules. They perform their stated function, do not request unnecessary permissions, and do not contain malicious code. As for the subscription prices, no current rules would bar them from Google Play.

For many countries, there is a set upper limit — but it’s the same for an advanced video editor, which might genuinely be worth the money, as it is for a QR scanner or flashlight app. At the time of this writing, the ceiling in the US is $400, while in most of the European Union and the UK it’s a bit less — €350 and £300 respectively. If the subscription price falls below this, the store approves the app — whereupon users decide for themselves whether to cough up for certain features. And they have only themselves to blame if they don’t understand how subscriptions work.

Nevertheless, when Google became aware of the issue, 14 of the 15 overcharging apps were removed from Google Play — and almost immediately after, the researchers found nine more. In reality, the main app stores are probably teeming with many more such programs.

Fleeceware: A new name for an old trick

Such apps cannot be described as malware, so a new term was invented for them: fleeceware. However, despite the newness of the name, the ruse itself — the offer of a free trial period with paid subscription hidden in the fine print — has been around for a while, and not only mobile developers exploit it.

For example, in 2011–2012 a group of wheeler-dealers distributed to women in Britain supposedly free skin cream samples that needed to be ordered online. When placing an order, users were automatically signed up for a monthly payment of £60–£70 (around $80–$90). This little detail appeared in the fine print, which few people bothered to read.

Fleeceware for iOS

Naturally, this issue is not exclusive to Android; fleeceware app developers haven’t overlooked iOS. In 2017, for example, an app called Mobile Protection: Clean & Security VPN was removed from the App Store. It was downloaded by 50,000 users, and at least 200 of them decided to try the subscription-based VPN on offer, duped by the prospect of “three free days.” Their curiosity cost each of them $400 per month.

There was no need to subscribe to the other app functions, which in any case had little point. For example, the app cleared the phone, but not of temporary files and unused apps, just duplicate contacts.

Another example of iOS fleeceware was a QR code scanner. When launched, the app asked for payment details to sign up for a free trial period, and after three days it began to charge $3.99 per week.

After several such incidents, Apple began to clamp down on apps that do not adequately describe their subscription terms and conditions. And in iOS 13, a warning appears when an attempt is made to uninstall an app with an active subscription.

How to guard against fleeceware

Fleeceware exploits people’s natural curiosity and carelessness, as well as their love of free stuff combined with reluctance to dive into subscription T&Cs. So as not to fall for the trick, be suspicious of anything that looks unusual.

  • Do not download apps offering primitive features at exorbitant prices or by subscription. Most likely, there is nothing exclusive about them, save for the price.
  • Before installing an app, read reviews of both it and the developer. Information about related scams is likely to be online.
  • If you sign up for a free trial period, and do not plan to pay for the app in the future, make sure to unsubscribe. You can do this in the subscription management section of your Google Play account if you have Android or in iTunes if you have an iPhone or iPad.