SophosLabs has discovered a collection of Android apps on Google’s Play Market whose sole purpose appears to be to severely overcharge users for mobile apps that provide very simple functionality available on low-cost or free apps.
The app developers take advantage of a business model available within the Play Market ecosystem in which users can download and use the apps at no charge for a short trial period. When the trial expires, if the user who downloads and installs one of these apps hasn’t both uninstalled the application and informed the developer that they do not wish to continue to use the app, the app developer charges the user.
In the case of a normal app, this might cost only a few dollars; But the publishers or developers of the apps described in this post routinely charge users hundreds of dollars (or Euros, depending on the geographic region in which the user resides).
The apps themselves do not appear to be malicious or contain malicious code; Some of these apps may even have useful (if redundant) functionality. However, it’s hard to imagine that anyone who is charged hundreds of dollars for a simple barcode reader or photo filter would consider such an expense “potentially unwanted” – nobody wants that.
Because these apps exist in a categorical grey area that isn’t overtly malware, and isn’t a potentially unwanted app (PUA), we’ve coined the term fleeceware, because their defining characteristic is that they overcharge users for functionality that’s widely available in free or low-cost apps.
We reached out to representatives of Google’s Play Market to find out whether the terms and conditions under which these apps are sold violate any of Google’s public or internal policies.
Last week, after Sophos had brought this purchasing behavior to their attention and sent along a list of 15 apps engaged in this practice, a Google representative told us the company had decided to pull some from their store. By our count, 14 of the 15 apps we informed Google about have been removed. A subsequent search revealed another batch of apps, with even higher download counts than the first, still available on the Play Market.
We encourage Google to do more to tighten up their policies that, currently, do not explicitly prohibit app developers from taking advantage of this in-app purchasing loophole. Customers who experience buyer’s remorse may have no recourse to ask for refunds after a few days. If you aren’t very actively monitoring your credit card for charges like this, you might not notice until the window for refunds has closed.
The fleeceware business model
Because the apps themselves aren’t engaging in any kind of traditionally malicious activity, they skirt the rules that would otherwise make it easy for Google to justify removing them from the Play Market. Their developers also seem to be very good at staying under the radar from security vendors. Even so, there are other characteristics of these apps that make them less-than-desirable.
These applications are, fundamentally, simple. We’ve observed tools like QR or barcode readers, calculators, tools to make animated GIFs, or photo editors. In most cases, there are free alternatives from well known vendors already available on the Play Market.
In many reviews for fleeceware apps, users report that they failed to unsubscribe from the trial period, and get charged very high amounts of money. In the case of one QR code reader app, the developer charges users €104.99 after 72 hours. The makers of an app called Professional GIF Maker charge users €214.99 when the trial ends. We haven’t seen apps sold at this price before. It’s a business model that walks a fine ethical line, but it is apparently successful. Some percentage of users will fail to cancel the trial, even if they intend to do so, and the app makers earn their keep on the backs of users who forget to unsubscribe, or ask for a refund within the short window in which they can do so.
Users’ fleeceware fury
From the user reviews on the Play Market store, it’s clear that many users who installed these apps and were subsequently charged extortionate fees are understandably furious. Users indicated that they were charged different amounts based on their geographic region. Some people are asking Google to take these apps down, and some want get a refund.
Google addresses concerns
Google polices the apps that they publish on their online store for outright malicious activity and fraud. But these applications evaded Google’s attention by staying on the razor’s edge of legality, and exploited the fact that most people avoid reading fine print.
Perhaps this is simply an extreme case of caveat emptor (buyer beware). But on the app store of the world’s largest mobile operating system maker, users should surely never find themselves being charged hundreds of euros for an unremarkable GIF utility.