$200 for nothing–fleeceware: a new threat

Sven Krumrey

Do you remember the scene where Indiana Jones is chased by a giant boulder threatening to crush him? Think of the boulder as major Ashampoo projects and me as Indiana Jones–but less agile and with somewhat rusty hips. That's what it's been like around here recently! And every boulder caught me straight on! The blog was the first victim of this deadline frenzy and, though it hurt, there was nothing I could do about it. Naturally, a lot has happened during my forced absence as blog writer so let's start with a particular crummy topic that could potentially cost cellphone users hundreds of dollars each month: fleeceware!

The bill of terror

Time and time again, both Google and Apple are plagued by shady apps that sneak into their stores while pretending to be regular app I. The latest wave of these nasties has been dubbed Fleeceware and it uses an old scam, but in digital form: hidden subscriptions. On the outside, fleeceware apps look just like any other app and offers useful features, e.g. a QR scanner, a calculator or photo optimization. Users are free to test them under a trial period, so nothing out of the ordinary yet–except that users are asked to submit their payment details the first time they run the apps. Without this, the apps refuse to start. Once entered, disaster strikes, thanks to a loophole in Google's Play Store terms.

The trial period usually only lasts three days, during or after which most users remove the apps in the belief that the payment details they provided no longer apply. Here's the thing: uninstalling an app is not the same as unsubscribing. By submitting their payment details, and ignoring the fine print, users have already subscribed. Removing the affected apps does not cancel the subscription. It's the subscription price that earns fleeceware it's foreboding name: $200 or more is not uncommon–per month! The only way to escape the trap? Unsubscribe from within the apps and then uninstall them. Currently, Play Store imposes a cap for subscription fees of €300 in the EU and $400 in the US. That still leaves plenty of room to overcharge users.

Not as safe as you may think: Google Play Store

Naturally, Google have already sprung into action and removed some of the apps, but more will likely follow. Google's dilemma is that, while shady, overcharging is not illegal under their terms. And, unlike malware, fleeceware apps behave as advertised. They don't execute malicious code or steal sensitive information. By providing their payment details at first launch, users willingly enter into a subscription agreement. And keeping their subscriptions alive after they've uninstalled the apps can make sense, e.g. when users are migrating from their old to their new cellphones and wish to keep their settings and apps.

Most users are totally unaware they've subscribed, especially those who quickly uninstalled because of the short trial period. Here's how to cancel subscriptions on your Android device:

  1. Open Google Play Store.
  2. Make sure you’re signed in to the correct Google Account.
  3. Tap "Menu ☰" > "Subscriptions".
  4. Select the subscription you want to cancel.
  5. Tap "Cancel subscription".
  6. Follow the instructions.
If it's less than 48 hours since you purchased, you can request a refund:
  1. Click "Order History".
  2. Find the affected order.
  3. On the order, click "More ⁝".
  4. Select "Request a refund" or "Report a problem" and pick the option that applies to your situation.
  5. Complete the form and include that you request a refund.

And it's gone ... And it's gone ...

Is fleeceware an Android-only phenomenon? Hardly! iOS saw a VPN app that charged users $400 back in 2017 and a QR scanner app that cost $3.99 a week, not much by comparison but still. That's when Apple decided to display a notification in iOS 13 when users remove an app with an active subscription. Let's hope Android will quickly follow suit. A detailed summary of all price, subscription and trial conditions would also be much appreciated!

So how do you spot a fleeceware app? Take a closer look! With billions of smartphone users, it's unlikely you'll be the first victim. So check the reviews for warnings and cuss words that are a clear indicator that something's amiss! You can also check popular online magazines or portals for hands-on feedback. Though the screening process for Google's Play Store is shorter than for Apple's equivalent, both can't guarantee 100% app safety. That's why we'll once again have to rely on the security center between our ears and think before we click!

What I would like to know: Have you already encountered or even installed malicious apps on your cellphone?

Back to overview

Write comment

Please log in to comment