Beware, This Mobile Fleeceware Scam Has Ensnared 600 Million Android Users
Security researchers are warning of a rise in "fleeceware" scams, a relatively new term that recently entered into the lexicon of security experts. It is a growing problem in the Play Store, whereby Android users end up being charged "excessive amounts of money for apps" for failing to cancel a subscription before a short trial period expires.
On the surface, this sounds like an issue that has more to do with user negligence than anything else, but a closer look reveals that several app publishers are abusing the app subscription business model for financial gain. Part of the problem has to do with what constitutes a cancellation. Simply uninstalling a subscription-based app is not enough in some cases.
Some app publishers treat an uninstall as intent to cancel and will honor the request, while others do not. Logging into the Play Store is the first step to erring on the side of caution. However, according to an investigation by security firm Sophos, cancelling a subscription can also require sending an email or following "other complicated instructions" before a free trial period ends, to avoid being charged.
How to cancel a subscription is not the only issue. Sophos found a large number of apps and app publishers to be overcharging for certain tasks, like QR code scanning. In one example, the security outfit pointed to an app that displays daily horoscopes for $69.99 per week, which works out to $3,639.48 per year. Some apps charge excessive fees for services that can be had for free, such as reverse image searching (Google offers his as a part of its own Search).
"Confusing things even further, some of the apps prompt users to pay for a monthly subscription rate on one screen, and a much different, weekly rate on another screen. It’s impossible for consumers to make an informed choice under these kinds of circumstances, even if they really wanted to pay more than the cost of any but the most expensive new phones each year for the privilege," Sophos says.
According to Sophos, just over two dozen fleeceware apps account for 600 million installations in total. Some of them have been installed over 100 million times (though the install count may have been manipulated in some instances).
Sophos alerted Google to the problem back in September and it responded by removing the offending apps, but "fleeceware remains a big problem on Google Play," the security outfit says. And unfortunately for users who get scammed by fleeceware, there is not much recourse.
"The Google Play Store policies are significantly less consumer-friendly than US credit card policies; Those who managed to get refunds have been able to obtain them only with great difficulty," Sophos says.
Some users who left negative reviews claim they followed the subscription model's rules for cancelling, but were still charged.
All that said, outside of illicit charges, Android users share some culpability here. As is the case with avoiding malware in general, due diligence is key, which in this case means avoiding subscription apps, especially if it is from an app publisher that is not well known and trusted. User reviews are not necessarily indicative of this either.
Fortunately, Google is aware of the problem and is actively removing fleeceware apps from the Play Store. However, it's akin to squishing fleas from your pet as you spot them—there's some relief, but it doesn't solve the problem. Stay safe out there, folks.