There’s a new sort of scam going on here in 2019 that takes advantage of a modern phenomenon. The idea that you’d pay a fee each month for a service, like Netflix, became commonplace over the past decade. App makers in the Google Play app store were found utilizing a loophole, recently, in the way they get money from unsuspecting users – in some cases to the tune of hundreds of dollars in a single action.
The simplicity of the situation makes the danger all the more important to discuss. Researchers at SophosLabs security discovered at least 15 apps “which have been downloaded millions of times between them” that’ve taken advantage of the Fleeceware loophole. These 15 apps were capable of charging large sums of money to users with relatively little effort.
What is Fleeceware?
The word “Fleeceware” is a combination of “fleecing” and “ware” as in “software”. Fleecing, in this case, is the malicious act of swindling a person out of a large sum of money. To fleece someone is to trick them in order to profit from the trick.
The trick is to allow a new user to download an app for free for a trial period of time. At some point after download, the user will be prompted to enter and submit payment details – details that will be used to pay for the app once the “trial” period is over.
The user will likely enter these details without issue, assuming that if they delete the app before the trial period is over, they will not have to pay any amount of cash. Unfortunate for these users, these apps will charge a fee regardless of whatever action is taken next – and they won’t have broken any law in doing so.
The system works for the app developer because, just so long as they put some sort of fine print somewhere in the app, they’ll be free to do whatever they’ve written in said print. Some of these apps have it in writing that they’re allowed to charge the user over $200 USD.
Users might not think that they’ve been scammed until it’s too late – the charge might appear weeks or months after the original app was first downloaded.
Were these apps removed by Google?
Some good news is that Google’s got their eye on the situation and have removed the bulk of the apps discovered in the first wave found by SophosLabs. After reporting their findings to Google but before publishing a public release, SophosLabs found that 14 of the 15 apps they’d originally identified had been removed from Google Play.
Unfortunately, this is not the end of this story. “Because the apps themselves aren’t engaging in any kind of traditionally malicious activity, they skirt the rules that would otherwise make it easy for Google to justify removing them from the Play Market,” said SophosLabs malware analyst, Jagadeesh Chandraiah.
Spotting Scam Apps
Malicious app developers prey on users who do not do their research. They take advantage of cool trends with apps like “Old Me” and “Hide Photos” and make apps that seem too simple to be malicious, like “QR Code Reader” and “Compass Pro.”
If you want to try a new app that you saw your friend use – assuming they’ve not already been scammed – download the same app they’ve got. Let someone else do the playtesting. Better still, check out a tech blog you trust and see what apps they recommend.
Don’t just search for keywords on the Google Play app store. It may seem like the search bar would be the best way to find an app with a feature you’re after. In reality, the search bar is only the best way to find the apps that’ve most successfully targeted their keywords and/or found a way to boost the popularity of their app.
Download apps from developers you trust – don’t download apps with terrible reviews, and don’t let your kids download apps without you checking the legitimacy of the app developer first.
How do I avoid being fleeced?
Do not authorize any app to have access to any of your personal details – especially when it comes to payment information. In this case, that means you should avoid “free trial” apps altogether. It’s that simple.
App stores are not infallible – just because an app is in the Google Play app store does not mean that the developer of said app is not trying to fleece you for your cash. Be aware, and keep your digital digits hidden as best you’re able!