WTF?! If you thought there's nothing worse than malware-infested apps, think again - several "fleeceware" apps on both Android and iOS are able to charge you significant amounts of money by using bait and switch tactics and exploiting the trial mechanism of mobile app stores. What may seem like a bargain can quickly turn into an expensive mistake even if you uninstall such an app before the end of its trial period.
In a report published this week, British security firm Sophos revealed that more than 3.5 million iOS users have installed "fleeceware" apps, which is a relatively new kind of online fraud that is becoming very popular among people that want to take your money while you are none the wiser.
Most of these apps come in the form of image editors, QR and barcode scanners, image and video filter apps, and anything related to horoscopes and fortune-telling.
The way these schemes work is that they abuse the way trials work on mobile app stores to essentially overcharge users for functionality that is otherwise present in cheap of free alternatives. When these apps flooded Google's Play Store in 2019, it became clear for researchers that it was only a matter of time before this would become just as much of a nuisance for Apple's App Store.
When you download a fleeceware app, you get access to all of its features for a short period of time, and the app gets permission to charge you once the trial expires. And since most of these apps don't offer much value in the first place, many people end up uninstalling the app, at which point they assume they will no longer be charged.
However, the developers of certain apps take advantage of app store policies that allow them to require more work on your part before you can get off the hook. This allows them to still charge your account, which is usually a small one time payment or a cheap monthly subscription fee. Fleeceware apps take this one notch further by asking for exorbitant amounts of money, usually in the hundreds of dollars.
Last year, Sophos found more than 50 fleeceware Android apps that have been installed by no less than 600 million users. And while Google cleaned out all of them after being notified of their existence, new ones have popped up and are able to rival some of the most successful legitimate apps in the number of installs.
The firm says Apple's App Store currently has at least 32 fleeceware apps that operate in the same categories as those found on the Play Store. As soon as the 3-day of 7-day trial ends, these apps will charge $9 per week or $30 per month, which can add up to $468 or $360 per year, respectively.
It also doesn't help that these apps tend to have between 500,000 to 1 million downloads, and one in particular called Zodiac Master Plus is among the top grossing apps. Unsuspecting users can look at these numbers and download them under the impression that their popularity is a measure of their value.
Jagadeesh Chandraiah, who is a malware analyst at Sophos, noted that "app publishers also have the ability to introduce new fleeceware apps by releasing new apps with the same subscription policies, or by converting a previously free app into fleeceware by changing the app’s profile in the App Store, though Apple developer policies prohibit this behavior."
The best way to avoid getting duped is to carefully inspect description pages and reviews, as well as get into the habit of inspecting your account for subscriptions every time you uninstall an app. Below you have the full list of fleeceware apps found by Sophos.