How do people end up downloading fleeceware apps in the first place?
In March 2021, we wrote about “fleeceware,” mobile apps that aren’t malware but can charge subscribers steep fees, often unexpectedly. In March, we found a total of 204 fleeceware apps in both the Apple App Store and Google Play Store, with over a billion downloads and over $400 million in revenue, with some apps charging as much as $3,432 per year.
In response, one question we got a lot was, “How do people end up downloading these in the first place?”
Today, we can shed more light on the problem – and at least partially answer that question.
Avast researcher Jakub Vavra recently found fraudulent sites posing as national postal service sites in Germany, Austria, the UK, Belarus, Czech Republic, Russia, and Slovakia, as well as retail shops from the Ukraine and Russia. All of these fake sites were designed to steer unwitting customers towards an Android fleeceware app that charges $70 per week and has been downloaded more than 50,000 times.
Interestingly, though, we found these sites didn’t just direct people to download this fleeceware app. These sites also borrowed from tried-and-true “chain letter’ scam techniques to enlist visitors in helping to publicize the sites by sharing links with friends and on social media.
The sites do this first by encouraging the visitor to send links to the site to 20 of their friends or to five group chats on social media. Below is an example spoofing the Royal Mail in the UK.
Then the site asks them to take a short “survey” asking if they use the spoofed postal service, their age, their sex, and what social media they use the most.
Then the site recommends they advertise the site further by sharing the link to the site on the social network they specified.
After doing this, the site then directs them to the fleeceware app on the Google Play Store. The app is advertised in Russian and presents itself as a postal tracking service. It’s notable that this app is presented in Russian, regardless of the language of the site directing them to the app.
Just like we’ve seen with other fleeceware apps, the app has numerous positive and likely fake reviews.
First, as always, be wary of sites offering giveaways, especially when they claim to be from official government agencies like a postal service. The classic advice of “if it seems too good to be true, it’s most likely a scam” applies.
Another red flag is the way in which the sites aggressively try to have you publicize the site by sending it to your friends and social networks. That’s a common tactic for scams and phishing sites.
To protect against fleeceware, be sure to read the reviews and look at the fine print regarding an app’s trial period. Pay particular attention to what the app will charge and if it’s automatically deducted at the end of that trial period. Fleeceware apps usually offer a free three- to seven-day trial, but can require users to enter their payment information before the trial begins, and automatically charge users after the trial ends.
If you do activate an app that charges you more than you expect, you should go in and cancel that subscription right away.
Finally, using antivirus software on all computers and devices can help protect and block against malware and spam.
We have reported the fleeceware app to Google’s Android security team. We block these sites for our users and have provided Cloudflare – a website security, performance, and reliability company – with a list of the offending websites, which they have used to add a phishing warning for the sites, protecting non-Avast users from the scam as well.
The Avast Threat Labs Q4 2022 Threat Report observed a rise in social engineering attacks during the final quarter of 2022, including invoice fraud, tech support scams, and others aimed at stealing money.
The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky.