{"id":23483,"date":"2019-11-11T15:50:13","date_gmt":"2019-11-11T13:50:13","guid":{"rendered":"https:\/\/www.kaspersky.co.za\/blog\/beware-of-fleeceware\/23483\/"},"modified":"2019-11-15T13:21:48","modified_gmt":"2019-11-15T11:21:48","slug":"beware-of-fleeceware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/beware-of-fleeceware\/23483\/","title":{"rendered":"Beware of fleeceware"},"content":{"rendered":"

Remember how Pulp Fiction<\/em> hitman Vincent Vega wanted to try a milkshake simply because it cost a whopping $5? That\u2019s a completely normal reaction\u00a0\u2014 many people automatically associate high price with some extraordinary quality. So, if they can sample an expensive product free, even those who don\u2019t plan to buy are interested. Some smartphone app developers take advantage of this human trait.<\/p>\n

The cost of curiosity<\/h2>\n

In late September, infosec researchers found a collection of calculators, QR code scanners, photo enhancers, and other programs with basic functionality on Google Play at clearly inflated subscription prices<\/a> of up to \u20ac200 per month. The apps had been downloaded by tens of millions of people, if not more.<\/p>\n

Users were promised a three-day trial period. Realizing that subscribing to such apps would be pointless, many users uninstalled them. But they were still charged.<\/p>\n

How did this happen? First, victims had to provide the apps with their payment details the first time they tried to run the apps\u00a0\u2014 without this, the apps wouldn\u2019t even start. This enabled the greedy apps to charge for subscription without asking for user consent.<\/p>\n

Second, uninstalling the app from the device is not the same thing as unsubscribing. This makes some sense\u00a0\u2014 it prevents you from losing, say, your playlists in a music player app if you delete it by mistake, restore the device\u2019s factory settings, or use the app on a new phone. However, many don\u2019t know about this particular nuance. And even those who do sometimes forget to cancel subscriptions, which is what fleeceware writers feed on.<\/p>\n\n

Not technically malware<\/h3>\n

You might ask why such apps were allowed onto Google Play in the first place. Alas, technically these \u201cgilt-edged\u201d calculators and QR scanners do not violate the store\u2019s rules. They perform their stated function, do not request unnecessary permissions, and do not contain malicious code. As for the subscription prices, no current rules would bar them from Google Play.<\/p>\n

For many countries, there is a set upper limit<\/a> \u2014 but it\u2019s the same for an advanced video editor, which might genuinely be worth the money, as it is for a QR scanner or flashlight app. At the time of this writing, the ceiling in the US is $400, while in most of the European Union and the UK it\u2019s a bit less \u2014 \u20ac350 and \u00a3300 respectively. If the subscription price falls below this, the store approves the app\u00a0\u2014 whereupon users decide for themselves whether to cough up for certain features. And they have only themselves to blame if they don\u2019t understand how subscriptions work.<\/p>\n

Nevertheless, when Google became aware of the issue, 14 of the 15 overcharging apps were removed from Google Play<\/a>\u00a0\u2014 and almost immediately after, the researchers found nine more. In reality, the main app stores are probably teeming with many more such programs.<\/p>\n

Fleeceware: A new name for an old trick<\/h3>\n

Such apps cannot be described as malware, so a new term was invented for them: fleeceware. However, despite the newness of the name, the ruse itself\u00a0\u2014 the offer of a free trial period with paid subscription hidden in the fine print\u00a0\u2014 has been around for a while, and not only mobile developers exploit it.<\/p>\n

For example, in 2011\u20132012 a group of wheeler-dealers distributed to women in Britain supposedly free skin cream samples<\/a> that needed to be ordered online. When placing an order, users were automatically signed up for a monthly payment of \u00a360\u2013\u00a370 (around $80\u2013$90). This little detail appeared in the fine print, which few people bothered to read.<\/p>\n

Fleeceware for iOS<\/h3>\n

Naturally, this issue is not exclusive to Android; fleeceware app developers haven\u2019t overlooked iOS. In 2017, for example, an app called Mobile Protection: Clean & Security VPN was removed from the App Store<\/a>. It was downloaded by 50,000 users, and at least 200 of them decided to try the subscription-based VPN on offer, duped by the prospect of \u201cthree free days.\u201d Their curiosity cost each of them $400 per month.<\/p>\n

There was no need to subscribe to the other app functions, which in any case had little point. For example, the app cleared the phone, but not of temporary files and unused apps, just duplicate contacts.<\/p>\n

Another example of iOS fleeceware was a QR code scanner. When launched, the app asked for payment details to sign up for a free trial period, and after three days it began to charge $3.99 per week<\/a>.<\/p>\n

After several such incidents, Apple began to clamp down on apps<\/a> that do not adequately describe their subscription terms and conditions. And in iOS\u00a013, a warning appears when an attempt is made to uninstall an app with an active subscription.<\/p>\n

How to guard against fleeceware<\/h2>\n

Fleeceware exploits people\u2019s natural curiosity and carelessness, as well as their love of free stuff combined with reluctance to dive into subscription T&Cs. So as not to fall for the trick, be suspicious of anything that looks unusual.<\/p>\n