Fleeceware scams promise free subscription trials but deliver costly charges to victims
Researchers at Avast have discovered a total of 204 fleeceware applications with over a billion downloads and over $400 million in revenue on the Apple App Store and Google Play Store. The purpose of these applications is to draw users into a free trial to “test” the app, after which they overcharge them through subscriptions which sometimes run as high as $3,432 per year. These applications generally have no unique functionality and are merely conduits for fleeceware scams. Avast has reported the fleeceware applications to both Apple and Google for review.
The fleeceware applications discovered consist predominantly of musical instrument apps, palm readers, image editors, camera filters, fortune tellers, QR code and PDF readers, and ‘slime simulators’. While the applications generally fulfil their intended purpose, it is unlikely that a user would knowingly want to pay such a significant recurring fee for these applications, especially when there are cheaper or even free alternatives on the market.
It appears that part of the fleeceware strategy is to target younger audiences through playful themes and catchy advertisements on popular social networks with promises of ‘free installation’ or ‘free to download’. By the time parents notice the weekly payments, the fleeceware may have already extracted significant amounts of money.
The data is startling: with nearly a billion downloads and hundreds of millions of dollars in revenue, this model is attracting more developers and there is evidence to suggest several popular existing apps have updated to include the free trial subscription with high recurring fees. Unfortunately, this endeavour can be lucrative even if a small percentage of users fall victim to fleeceware.
Fleeceware is a recently coined term that refers to a mobile application that comes with excessive subscription fees. Most applications include a short free trial to draw the user in. The application takes advantage of users who are not familiar with how subscriptions work on mobile devices, meaning that users can be charged even after they’ve deleted the offending application.
A majority of the applications that our team has discovered lure users in with a promise of a free three-day trial, attaching a subscription that commences at the end of the trial. Once the trial is over, the user is charged a recurring high subscription fee, generating substantial revenue for the developers. Importantly, uninstalling the application doesn’t cancel the subscription — as a result, the user is likely to be charged further until they cancel the subscription within their device’s app market settings. There’s also the possibility that users forget to cancel the free trial, resulting in expensive fees. Either way, these scams make use of deceptive behavior that relies on the user not being informed about how subscriptions work and draws them into the scheme through a free trial.
Upon opening the app, users are met with a three-day free trial with a recurring subscription fee attached.
There is a wide range of subscriptions being used by these fleeceware applications, ranging from weekly and monthly to annual fees. In some cases, users can be charged as much as $66 per week, totalling a ludicrous $3,432 per year. Most of the discovered applications range from $4 to $12 per week, which equates to $208 to $624 per year. It goes without saying that users are extremely unlikely to willingly pay this amount for these applications.
A recurring theme in fleeceware applications that have negated previous app purchases.
An emerging trend is that several popular applications have converted to the subscription-based fleeceware model. Applications that were previously free or required a one-off fee to unlock all features now offer expensive weekly subscriptions. Judging by reviews, sometimes users who have previously paid for the full application are also forced into the fleeceware subscriptions without being given access to the already-purchased app. It is likely more developers will follow suit, as the revenue generated from fleeceware is evidently substantial.
As these applications are not considered malware and are available on official app stores, they also have access to official advertisement channels to spread the fleeceware scheme. According to Sensor Tower’s Ad Intelligence, these applications are actively advertising on major social networks such as Facebook, Instagram, Snapchat and TikTok. Due to this scheme’s lucrative nature, the actors are likely investing substantial amounts of money to further propagate these apps via popular platforms.
Snapshot of a video advert played on Instagram.
These advertisements may be displayed to a potentially vulnerable younger audience that may be inclined to try out these apps. Promises of “free installation” or “free to download” are present in several of these adverts. The adverts often rely on deceptive videos that do not represent the product to draw users in.
Fawning and positive reviews that are likely fake.
Once the user clicks on the advert, they’re redirected to the app’s profile on the respective device’s app market. Here, the user is met with a well laid out app profile that often has a four or five-star review. The app profile looks official and doesn’t raise red flags at first sight. However, upon closer investigation, it becomes apparent that a big portion of the reviews are fake (they contain repeating text or are poorly-worded and generic in nature). There is reason to believe this form of review boosting is becoming a more prominent practice.
Another effect of the fake reviews is that they flood the review feed, making it more difficult to spot genuine reviews. This tactic impairs the user’s ability to make an informed decision about the application at hand.
Further reading: Moving scams: A real-life cautionary tale
When sifting through the maze of fake reviews, an occasional one-star review reveals the real impact of fleeceware applications. Users often cite that they deleted the application; however, they were still charged. Others mention how their children downloaded the app and likely subscribed to the free trial. Unfortunately, parents often only figure out the source of the charges weeks or months later.
A few examples of affected users voicing their views about the extortionate app subscriptions.
Due to the way subscriptions are handled, Google and Apple aren’t responsible for subscription refunds after a certain time period and redirect the victims to app developers. As evidenced by reviews, the developers can simply choose to ignore the users or claim the user’s knowledge about the subscription fee and refuse to refund the victims. Several developer profiles that our team discovered provided links to discontinued websites or contact forms. All in all, it appears there is very little that victims can do in these scenarios other than contacting their bank and requesting a chargeback.
Google and Apple have been improving the transparency around in-app purchases as well as making payments through their respective platforms. It’s clear that the subscription model is necessary to provide ongoing support for legitimate developers. However, as evidenced by these fleeceware applications, users are still becoming victim to predatory and deceptive subscription tactics that result in them paying unreasonable amounts of money for applications that don’t offer unique features.
A simple solution to the fleeceware problem would be to include a prompt for cancelling subscriptions when uninstalling apps with active subscriptions. This is likely the intended outcome for the user, as they’re unlikely to want to pay a subscription for an app that they no longer have on their device. Google currently has a notification prompt that warns users of active subscriptions for uninstalled apps. Apple displays a direct dialogue to the user asking whether they want to keep the subscription. Even with these precautions in place, it’s evident that fleeceware apps continue to bring in revenue.
Warnings displayed by Android and iOS devices after deleting an app with an active subscription.
Another solution could be subscription payment confirmation. If the user accepts a free trial, the app could require another confirmation before paying money for the actual subscription once the free trial is over. In this scenario, the app’s functionality would stop until the user pays the required fee. This would give the user direct control over subscription payments and allow them to make a fully informed decision on continuing with the subscription.
Removing and filtering out fake and automated reviews would also improve the user’s ability to make a conscious decision about an application. As we’ve already explained, it’s currently possible to flood an app’s profile with fake reviews and, in effect, block negative reviews from being prominent (or even displayed to the user at all).
Finally, more clarity around in-app purchases and the display of potential charges in a more prominent way could help users decide if the application is charging fair prices. The current display of in-app messaging can be deceptive or hidden, and in combination with the free trial, this may lead the user to believe they’re only signing up for a free subscription.
Current descriptions of potential in-app purchases on both platforms, which require several clicks/scroll-downs to access.
The result of these fleeceware applications is clearly negative in the long term. Apart from the financial harm inflicted, users affected by such scams will be less inclined to download applications or engage with app stores in general. Therefore, these fleeceware applications have a negative impact on legitimate developers that use the subscription model in an ethical manner. This being said, it’s in the best interest of app stores to protect their users and enable them to make clear decisions without fear of excessive charges.
With subscriptions becoming more prevalent on both app stores, users must be vigilant when downloading and using applications. To avoid fleeceware, we recommend following the guidelines outlined below:
Google’s support page walks through the steps for cancelling, pausing or changing subscriptions.
A total of 134 fleeceware applications have been identified by Avast on the Apple App Store.
Sensor Tower data estimates a total of 500 million downloads of these applications. It also estimates that the applications have brought in $365 million in revenue in their lifetime.
A total of 70 fleeceware applications have been identified by Avast on the Google Play Store.
Sensor Tower data estimates a total of 500 million downloads of these applications. It also estimates that the applications have brought in $38.5 million in revenue in their lifetime.
Avast Threat Labs researchers have looked into OnionCrypter, a crypter that uses techniques to make it harder for researchers and security software to read the information that it protects.
Avast researchers obtained information that the Ursnif banking Trojan has targeted 100 Italian banks and may have thousands of victims.