Researchers are warning iPhone users of fleeceware apps after finding more than 30 examples of them on Apple’s App Store. Fleeceware is jargon for apps that trick users into paying excessive fees for basic applications and functionality that is available free elsewhere.
Many of these fleeceware apps come in the form of image editors, horoscope apps, QR code or barcode scanners, and face filter apps targeted at younger generations. Typically, publishers of fleeceware target users who may be less cognizant or sensitive to initial fees and reoccurring charges. While the apps market themselves as “free apps,” they are covertly charging for pricey subscription services – gouging some users by as much as $500 a year, researchers said.
“Many of these apps charge subscription rates like $30 per month or $9 per week after a 3- or 7-day trial period,” said Jagadeesh Chandraiah, with Sophos, in an analysis this week. “If someone kept paying that subscription for a year, it would cost $360 or $468, respectively. For an app.”
The fleeceware apps (a full list of fleeceware apps can be found here) discovered on Apple’s App Store are also extremely popular, with some racking up between 500,000 downloads (Selfie Art – Photo Editor) to 1 million downloads (mSpy Lite Phone Family Tracker), according to Sensor Tower data.
One of these apps, Zodiac Master Plus, is listed as the 11th highest revenue-generating app on Apple’s App Store. Researchers said another one of the apps, Lucky Life – Future Seer, is earning more revenue than the popular Britbox app (one of the UK’s most popular subscription streaming TV services).
According to Apple’s App Store Review Guidelines (section 2.3.2), developers are required to ensure their “app description, screenshots, and previews clearly indicate whether any featured items, levels, subscriptions, etc. require additional purchases.”
Researchers suggest, fleeceware apps skirt this requirement by advertising themselves as a “free” app – but after download, presenting users with a “free trial” notification, which prompts the user to provide payment card details. Once the “free trial” expires, if the user who downloaded the app hasn’t both uninstalled the application and informed the app developer that they’re done using the app, the app developer charges the user. This model is similar to “free trial” offers, which put the responsibility of cancelling or opting out of services on the user.
“In some cases, most of the useful features of the app will only be usable if you sign up for the subscription,” said Chandraiah. “Some users may sign up to subscribe without reading the fine print, which includes the actual cost of the subscriptions.”
Fleeceware apps are known to use a variety of tricks to charge exorbitant amounts of money. Some victims who have followed an app’s subscription-model rules to unsubscribe still found themselves charged by the developer.
The developers behind these apps in question use various techniques to market the apps. For instance, they will advertise them through various popular platforms, including in YouTube videos or on social media platforms like Instagram or TikTok. Many of the apps also have a high number of five star reviews – although some reviews do reflect angry users who complain of their money-gouging tactics (researchers for their part said they have no evidence that the positive app reviews are fake).
Fleeceware apps continue to plague the mobile phone landscape. In a January report, researchers found that fleeceware apps are a rampant issue on Google’s Google Play app marketplace. In fact, fleeceware apps were being installed from Google Play nearly 600 million times on 100 million plus devices, they found.
“Fleeceware is a problem on both the Android and iOS mobile platforms,” said researchers. “App publishers also have the ability to introduce new fleeceware apps by releasing new apps with the same subscription policies, or by converting a previously free app into fleeceware by changing the app’s profile in the App Store, though Apple developer policies prohibit this behavior.”
Researchers said that users should remain vigilant and carefullt scrutinize the terms for purchasing, or “subscribing to,” apps.
Threatpost has reached out to Apple for further comment.
Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.