"Fleeceware" apps plague Google Play with 600 million downloads

“Fleeceware” apps – a new type of fraud Google yet to defeat

Fleeceware apps downloaded from Google PlayWhile security experts believe that the number of 600 million downloads might be inflated, there are plenty of users who got tricked by Fleeceware apps

With over 2.5 million apps on Google Play, the industry giant has many things to take care of to ensure that no malicious or “bad” apps reach users. While the company does make an effort to do so, its attempts are not always successful, as some adware and similar malicious apps managed to slip through Google's security checks in the past. Now it seems like a new challenge is ahead – “Fleeceware.”

Security researchers from SophosLabs described the fleeceware phenomenon in September last year,[1], and the term is relatively new in the cybersecurity research community. The purpose of such apps is to deceptively overcharge users for the basic services that they provide after the alleged short trial period expires even if they are uninstalled – experts blame “Play market policy loopholes” for the occurrence.

While Google did take down apps using unfair practices since the initial Sophos article publication, security experts now found more culprits, and the number of installations exceeds 600 million,[2] although it comes from merely 25 different applications. The report also mentioned that one of the apps has over 100 million downloads, a number that can compete with many commercially successful applications on Google Play.

Users lose hundreds of dollars in unsolicited subscription fees

The trial period is usually operated on the opt-out basis, meaning that users who signed up for it should cancel the trial before they get charged by the app. Those who acquire a trial-based application do not get charged as soon as the app is uninstalled from the device, as the developers assume that the product did not satisfy the customer, which effectively terminates the trial as well as all the incoming charges.

However, some developers decided not to play all that fair, as they charge users even if they uninstall the app from their phones or tablets. Additionally, these apps are usually of poor quality and provide very limited functionality which can often be found somewhere else for free:

As we saw last fall, there were a wide variety of entertainment or utility apps, including fortune tellers, instant messengers, video editors, and beauty apps. And just like last time, user reviews reveal serious complaints about overcharging, and that many of these apps are substandard, and don’t work as expected.

What proves to be a lucrative business model for some turns out to be a major loss for others, however. In most cases, fleeceware offers basic functionality like flashlight or fortune-telling for an extortionate price – some apps were found to be charging users as high as $521, which is broken down into monthly payments of $27 or weekly payments of $10, which might not seem like much initially. However, considering the app is not even used by the person who is getting charged monthly – this reminds more of fraud than anything else.

Fleeceware app devs use fake install count statistics

Security experts at SophosLabs said that high install count is most likely manipulated, although even with fake download counts, it is still likely that many users installed these bad apps and were charged by the unfair service. Increasing rankings artificially is not something that is hard to do and has been practiced for a while on YouTube and other platforms.[3] These “favors” are provided by a specific paid service that also adds fake reviews and ratings. Most of the 5-star reviews consist of standardized phrases like “Love it,” “Great app,” “Good,” etc., and often appear in a cluster.[4]

The practice allows apps to climb up in rankings artificially, and because Google puts apps that have high download count and are ranked positively first, it gives the devs the opportunity to attract real customers as soon as they enter a search query.

Avoid these apps, as well as those that offer shady trials

“Opt-out” business model is not great, but it gives users the opportunity to try out things for free. Nevertheless, because most don't read the terms and conditions,[5] getting tricked by such policy is really easy, and this applies not only for fleeceware – users sometimes get confused about whether the payment is a one-time deal or a recurring subscription. Blaming users for not paying attention should not be used as a means of an excuse for deliberately misleading them.

While it is highly likely that Google will remove the remainder of the fleeceware discovered by SophosLabs, you should be careful not to install the following apps: Astrofun, Easynap, VCUT, Face X Play, Fortunemirror, Filmigo, GO Keyboard, GO Keyboard Lite, GO SMS Pro, GO Recorder, GO Security, Z Camera, Master Recorder, S Photo Editor, Wonder Video, Clipvue, Filmix, Photo Recovery & Video Recovery, ScreenRecorder, V Recorder, V Recorder Lite.

For future reference, if you sign up for a trial, make sure that you cancel the subscription on time, as uninstalling the app no longer guarantees that it is canceled automatically. Hopefully, Google will soon treat this behavior as inappropriate and decline apps that use such a business model designed to deceive users.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions