Afterhour Magic

News for nerds

Sophos: there are at least 32 “fleeceware” iOS apps that are abusing App Store free trial mechanisms

If you thought there’s nothing worse than malware-infested apps, think again – several “fleeceware” apps on both Android and iOS are able to charge you significant amounts of money by using bait and switch tactics and exploiting the trial mechanism of mobile app stores. What may seem like a bargain can quickly turn into an expensive mistake even if you uninstall such an app before the end of its trial period.
In a report published this week, British security firm Sophos revealed that more than 3.5 million iOS users have installed “fleeceware” apps, which is a relatively new kind of online fraud that is becoming very popular among people that want to take your money while you are none the wiser.

Most of these apps come in the form of image editors, QR and barcode scanners, image and video filter apps, and anything related to horoscopes and fortune-telling.

The way these schemes work is that they abuse the way trials work on mobile app stores to essentially overcharge users for functionality that is otherwise present in cheap of free alternatives. When these apps flooded Google’s Play Store in 2019, it became clear for researchers that it was only a matter of time before this would become just as much of a nuisance for Apple’s App Store.

When you download a fleeceware app, you get access to all of its features for a short period of time, and the app gets permission to charge you once the trial expires. And since most of these apps don’t offer much value in the first place, many people end up uninstalling the app, at which point they assume they will no longer be charged.

However, the developers of certain apps take advantage of app store policies that allow them to require more work on your part before you can get off the hook. This allows them to still charge your account, which is usually a small one time payment or a cheap monthly subscription fee. Fleeceware apps take this one notch further by asking for exorbitant amounts of money, usually in the hundreds of dollars.

Last year, Sophos found more than 50 fleeceware Android apps that have been installed by no less than 600 million users. And while Google cleaned out all of them after being notified of their existence, new ones have popped up and are able to rival some of the most successful legitimate apps in the number of installs.