In June, Google updated its developer policies, adding new directives to how apps must inform consumers about the true terms and cost of subscription-based apps licensed through the Android Play Store. These changes address some of the issues that characterize apps we refer to as fleeceware.
In previous coverage of fleeceware, we showed examples of app subscription sign-up pages that had been designed to make it hard to read the terms of the app subscription. The new Google-issued rules are designed to address some forms of deceptive marketing display copy, but they also have some loopholes that permit other behavior some might consider unscrupulous.
‘Fleeceware’ apps overcharge users for basic app functionality Start a Sophos demo in less than a minute. See exactly how our solutions work in a full environment without a commitment. See full list on news.sophos.com. Sophos XG Firewall Home Edition. Give your home network a much needed security boost. The Home Edition of the Sophos XG Firewall features full protection for your home network, including anti-malware, web security and URL filtering, application control, IPS, traffic shaping, VPN, reporting and monitoring, and much more. The term fleeceware is a recent addition to the cyber-security jargon. It was coined by UK cyber-security firm Sophos last September following an investigation that discovered a new type of. Aug 23, 2020 ‘Fleeceware’ apps are relying on scams, usually with hidden, very excessive subscription fees. Advertisement Well, Sophos researchers found 25 such apps in the Google Play Store, seven months ago.
The new terms and conditions for developers who wish to distribute their app through the official Play Store require their publishers to comply with the following directives:
- Describe which parts of an app require a subscription.
- Users of the app must be allowed to unsubscribe without impediment.
- Have full transparency with the subscription cost and the billing period.
- Display the terms visually clearly, human readable in size and color.
As of the publication of this article, the policy has been in place for roughly two months. Of course, we were able to find some developers who hadn’t fully implemented the changes to their app that the platform required. Some of the app publishers subsequently released policy-compliant apps, but Google removed a few from the Play Store, too.
Some of the policy violations shown on these screens include: the absence of a dismiss button; billing details and terms are very small and printed on a very light font that makes it almost unreadable.
Fleeceware’s new tricks
Unfortunately, we’ve found a lot of apps that appear to violate these new policies. Here are a few different grifts:
Blind Sub
When we ran samples of these apps, many of the apps prompt the user to immediately start the subscription, using a button labeled ‘Try FOR Free’ or ‘Start Free’ — before displaying the complete billing details, or giving users a way to find out what they are before starting the subscription.
Call it a blind subscription: All you know is, you’ve signed up, but not for how long or how much. According to Google, “the offer emphasizes the free trial, and users may not understand that they will automatically be charged at the end of the trial.” Publishers aren’t allowed to do this anymore, but some still try.
Spam Sub
There’s a few free trial versions of apps we tried recently that displayed the screens shown below, among others. This led down an interesting rabbit hole to something we’ll call a spam subscription. You sign up once, and find yourself subscribed to a bunch of different apps as the fleeceware apps advertise one another.
Users sometimes unknowingly subscribe to hundreds of dollars worth of app subscriptions by clicking buttons like these.
In one such instance (the Photo collage & Grid photo editor app above) the offer consists solely of the highly informative ‘Try For Free (3 days trial)’ and…nothing else. Neither billing details nor frequency was forthcoming until you might find out it could cost you $200 a year.
Termoflauging
This fleeceware-adjacent policy violation is about the use of tricks to visually conceal the terms & conditions. While not exclusive to fleeceware, some apps that charge a subscription still display the costs or important terms literally in grey fonts on a white background, or using incredibly tiny fonts that virtually blend into the background of the subscription solicitation on a mobile device. In so doing, the publishers perform the letter, but not the spirit, of the rules – they display the full subscription details in a way that the eye trying to read it just naturally wants to glaze over.
On top of the visual impediments, in some cases the provided information is just misleading. But more often than not, it’s just shockingly accurate. The Montage app (below) displays the following terms on its solicitation page:
3 Days Free. Then $89.99/week. Cancel at anytime
This was the finest of fine print, in an almost imperceptible wisp of a font that almost looked like a horizontal line in the advertisement
Price is still a problem
Unlike some fleeceware apps which blatantly violate Google policies, some apps have adapted to changes. They have tweaked some buttons and the text used for its description. But they still charge very high subscription prices, like the $89.99 per week app shown above, Montage.
By the way, the Montage app displays wallpapers, changing the phone background image to something new, for $360 a month. More car payment than subscription. How many grande lattes with an extra shot are you willing to buy someone else, per day, just so they can provide you with fresh new background images? Three? Six?
Sophos Fleeceware Vs
Google’s Play Store policies for subscription-based apps restrict a wide range of behavior, one behavior it doesn’t restrict is how much an app subscription can or should cost. There is an upper limit on how much apps can charge; In the United States, that number is $400, and in many countries the maximum is set in the local currency at a roughly eqivalent value, but there’s a loophole. The rule doesn’t specify the duration of the subscription that can charge that maximum amount. Is it $400 a year, $400 a month, or $400 a week? Any developer can take advantage of this loophole to charge you hundreds of dollars per week.
As an aside, it was interesting to discover that, in eight countries, Google’s maximum allowable subscription charge was one or another form of “1337” – a number with geek-cred significance.
Apple changed its app store review guidelines recently, and added additional restrictions that effectively bans apps that come with, in Apple’s words, irrationally high prices. In summary, Apple informs its developer audience:
And while pricing is up to you, we won’t distribute apps and in-app purchase items that are clear rip-offs. We’ll reject expensive apps that try to cheat users with irrationally high prices.
We have not come across any such policies for Google play store. When we reported Google about these high-priced apps, a Google spokesperson told us “subscription costs are set at the discretion of the developer.”
Among the list of apps we reported to Google, the company declined to take action on all but a few, and in those cases, the apps changed how they display the free trial description and terms, removing the only violations. Publishers, at their discretion, may charge unconscionably high subscription prices so long as they abide by these anti-deceptive practices in their promotions.
We understand it’s difficult to provide a fixed price for a app service, but when the app is subjected to review, surely reviewers can easily separate a dodgy looking photo editor charging $90 per week from a reputable developer charging a fair price for an app with professional or premium features.
These screens come from different-but-oddly-similar wallpaper apps which all charge the oddly specific $89.99 per week. The publisher who has done this also tweaked the button text so it reads Start Subscribe, and the fine print text is the same, too (with hyphenation and spacing goofs): “3 Day-Free Trial, then$89.99/week. Cancel at any time”
Netflix charges $16 per month for its premium service. These wallpaper apps cost the same as 22.5 Netflix subscriptions per month. The description may have some details in fine print, but vulnerable users like kids and the elderly are more susceptible to a grift like this, and more likely to lose some money.
Getting more aggressive
We’ve noticed some apps have moved the screen that solicits the user to sign up for a trial subscription to be triggered at different times, and unusually, not when the app first starts up. The delay may serve a role in ingratiating the app to the user.
Some apps require you to watch an ad – usually a video – before they allow the user to access some features. That’s fair enough, but we experienced glitchy behavior: the app would repeatedly display the subscription solicitation page when you try to access any features at all, or if you try to navigate away from watching an ad.
In the example below, several horoscope apps are trying to sign up subscriptions worth more than $70 per week – not when you press the subscribe button, but when you press the ‘back’ button on your phone. This app claims to have a ‘core technology’ that, somehow, leads to improved horoscope outcomes.
No matter how sophisticated the horoscope technology, charging users of a horoscope app in the range of $300 a month is unethical. Allowing these apps on the Play Store undermines the trust users feel towards the subscription model for apps as a whole.
Many legitimate developers use the subscription model to license their mobile apps. For a while, there were more fleeceware subscription apps in app stores than legitimate subscription apps, but that has been slowly changing. However, if the abuse of the subscription model continues unabated, it may cease to be a viable business model for legitimate developers to want to be involved in, because the user’s whole experience could be tainted by their interaction with fleeceware.
The consumer friendly improvements made by both Apple and Google since we began reporting on fleeceware apps have been good, but there is still room for improvement. Both Google’s and Apple’s store platforms have control over the entire life cycle of the app, including subscription collection, and payment processing and reconciliation. But these stores’ biggest problem right now seems to be the lack of control over pricing. A video editor or a horoscope charging hundreds of dollars for temporary access seems…irresponsible.
After the user uninstalls fleeceware apps , they get emailed information about unsubscribing from the subscription. Perhaps app stores could directly unsubscribe the user automatically for any recently uninstalled apps, instead of making the user manually doing it.
Want to report fleeceware apps ?
Have you spotted fleeceware app on Google Play store or iOS App store that you would like to report to us, then please email our Labs team with a link to the fleeceware app.
Last but not least, be wary of apps that have short trial and high costs. If you want to unsubscribe from an app trial, please follow the instructions provided by Apple for iOS users or by Google for Android users.
Want to know about fleeceware apps ?
We will be talking about fleeceware apps in detail at the Virus Bulletin security conference this fall. The VB conference is virtual and is free to register this year, and includes other great talks from our industry friends.
Some of the fleeceware we found on the Play Store includes:
| Package name | Subscription charge | Revenue* |
| com.photoconverter.fileconverter.jpegconverter | $249.99/€224.99/year | $8k |
| com.recoverydeleted.recoveryphoto.photobackup | $249.99/€224.99/year | $60k |
| com.screenrecorder.gamerecorder.screenrecording | $249.99/€224.99/year | $10k |
| com.photogridmixer.instagrid | $229.99/€219.99/year | $5k |
| com.compressvideo.videoextractor | $229.99/€219.99/year | $10k |
| com.smartsearch.imagessearch | $229.99/€219.99/year | $30k |
| com.emmcs.wallpapper | $89.99/week | $20k |
| com.wallpaper.work.application | $89.99/week | $30k |
| com.gametris.wallpaper.application | $89.99/week | $30k |
| com.tell.shortvideo | $89.99/week | $10k |
| com.csxykk.fontmoji | $89.99/week | $40k |
| com.video.magician | $89.99/week | $30k |
| com.el2020xstar.xstar | $89.99/week | $10k |
| com.dev.palmistryastrology | $69.99/week | $5k |
| com.dev.furturescope | $69.99/week | $90k |
| com.fortunemirror | $69.99/week | $20k |
| com.itools.prankcallfreelite | $44.99/year | $5k |
| com.isocial.fakechat | $45.99/year | $5k |
| com.old.me | $94.99/year | $5k |
| com.myreplica.celebritylikeme.pro | $12.99/€10.99/week | $5k |
| com.nineteen.pokeradar | Pay per install | – |
| com.pokemongo.ivgocalculator | Buggy app | – |
| com.hy.gscanner | $79.99/year | $5k |
OXFORD, United Kingdom, Jan. 14, 2020 (GLOBE NEWSWIRE) -- Sophos (LSE: SOPH), a global leader in next-generation cybersecurity, today introduced Sophos Intercept X for Mobile with new security capabilities for Chrome OS devices and improved mobile threat defense for Android and iOS devices.
Sophos today also published research, Fleeceware Apps Persist on the Play Store, that details new findings on Fleeceware applications that overcharge unsuspecting consumers for functionality widely available in other free or low-cost apps. First discovered by SophosLabs on Google Play in September 2019, Fleeceware remains a problem with more than twenty newly discovered applications with nearly 600 million alleged installations, as reported by Google.
“Fleeceware and other unscrupulous app developers are walking a fine line to avoid breaking hard and fast app store rules. This sneaky behavior is unethical, but not illegal,” said Dan Schiappa, chief product officer at Sophos. “Possibly more worrisome are the stealthy cybercriminals who increasingly target mobile devices to carry out attacks for financial gain or as an ‘easy in’ to connected corporate networks. No mobile device is immune, and attackers are counting on unprotected devices and unpatched flaws to carry out their attacks. Intercept X for Mobile protects users from risky applications and malicious content, and keeps business data on mobile devices secure.”
Leveraging the same deep learning anti-malware technology used in Intercept X for Windows, macOS and server, Intercept X for Mobile protects users, their devices and their data from known and never before seen mobile threats. A completely redesigned interface simplifies security management and aids accessibility for users with disabilities:
- Device Security: Intercept X for Mobile continuously monitors for and alerts users and IT administrators to signs of potential compromise so they can rapidly and automatically remediate issues and revoke access to corporate resources. Compliance checks detect jailbreaking, rooting, operating system versions, and more, informing users and IT administrators of violations and taking automatic action
- Network Security: Intercept X for Mobile monitors network connections for suspicious activity in real time, warning users and IT administrators of potential Man-in-the-Middle (MitM) attacks. Web filtering and URL checking also stop access to known bad sites, protecting users from unsuitable content, and SMS phishing detection spots malicious URLs
- Application Security: Intercept X for Mobile detects malicious and suspicious applications installed on devices, protecting against malware, ransomware and potentially unwanted apps like Fleeceware. Integration with Unified Endpoint Management (UEM) solutions like Sophos Mobile and Microsoft Intune enable administrators to build conditional access policies, restricting access to applications, data and corporate resources when threats are detected
- Chromebook Security: The new Chromebook Security extension protects Chrome OS users from unsuitable and malicious web content, provides app white and block-listing, and lets IT administrators report on device status and configuration
Sophos Fleeceware For Windows
“There’s a false sense of understanding that organizations don’t have the right to secure employee-owned devices, but that couldn’t be farther from the truth. No device is off limits to an attacker, and left unsecured, mobile devices introduce significant risk,” said Scott Larson, owner of Technology By Design. “Intercept X for Mobile provides the best-in-class protection needed to secure personal and company-issued devices in today’s rapidly evolving threat landscape. It’s a must-have, non-intrusive solution that strengthens any organization’s defenses, and it enables leading service providers like Technology By Design to protect customers from the most sophisticated and advanced threats.”
Intercept X for Mobile is easily managed in the cloud-based Sophos Central platform alongside Sophos’ entire portfolio of next-generation cybersecurity solutions. Sophos’ unique Synchronized Security approach empowers these solutions to work together for real-time information sharing and threat response.
“Intercept X for Mobile is the best way to consolidate multiple endpoint management platforms for consistent policies, comprehensive security and letting users be productive on the devices they prefer,” said Phil Hochmuth, IDC program vice president. “It delivers best in class protection and performance, with less time and effort spent on managing and securing traditional and mobile endpoints.”
A Leader in the IDC MarketScape: Worldwide Enterprise Mobility Management Software for Small and Medium-Sized Businesses 2019–2020 Vendor Assessment1, Sophos provides “a centralized source for purchasing and support as well as unifying all aspects of security and device management, including endpoint antivirus on PCs to EMM/UEM and MTM security on smartphones,” according to the report. “Sophos has the ability to synchronize web security polices and protection settings across a worker's entire device environment, from mobiles (iOS/Android) to PCs (Windows, Mac and Chrome OS), allowing polices to follow users in browsers across all platform types.”
Sophos Intercept X for Mobile is available now as a stand-alone license or bundled with the new Sophos Mobile 9.5 UEM for additional endpoint management capabilities, providing a complete and secure UEM platform with an integrated mobile threat defense solution. For individual and unmanaged use, Intercept X for Mobile is available for free on the Apple App Store and Google Play.
Additional Resources
- Learn about the threat landscape and 2020 trends in the SophosLabs Threat Report
- Learn more about the Sophos Snatch Ransomware report
- Get an overview of the central role Emotet plays with Sophos’ new infographic
- Read the latest security and company news on Naked Security and on Sophos News
- Connect with Sophos on Twitter, LinkedIn, Facebook, Spiceworks, and YouTube
_____________________________
1 doc #US45353919 , November 2019
About Sophos
As a worldwide leader in next-generation cybersecurity, Sophos protects more than 400,000 organizations of all sizes in more than 150 countries from today's most advanced cyberthreats. Powered by SophosLabs - a global threat intelligence and data science team - Sophos' cloud-native and AI-enhanced solutions secure endpoints (laptops, servers and mobile devices) and networks against evolving cybercriminal tactics and techniques, including automated and active-adversary breaches, ransomware, malware, exploits, data exfiltration, phishing, and more. The award-winning Sophos Central cloud-based platform integrates Sophos' entire portfolio of best-of-breed products, from the Intercept X endpoint solution to the XG Firewall, into a single system called Synchronized Security. Sophos products are exclusively available through a global channel of more than 53,000 partners and Managed Service Providers (MSPs). Sophos also makes its innovative commercial technologies available to consumers via Sophos Home. The company is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol 'SOPH.” More information is available at www.sophos.com.
Press Contacts:
Lesley Sullivan, Sophos
Lesley.Sullivan@sophos.com
Samantha Powers, March Communications
sophos@marchcomms.com
Sophos Fleece Wear Free
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/0211fe3d-8fb8-43ce-b1fb-544fd5a8e8ab