More than 3.5 million iOS users have installed "fleeceware" apps on their devices, UK security firm Sophos warned in a report published earlier this week.
The term fleeceware is a new addition to the cyber-security jargon and describes apps engaging in a new form of online fraud.
Coined last year by Sophos researchers, the term refers to mobile apps that abuse legal loopholes in the app trial mechanism on Android -- and now iOS.
How fleeceware works
Both the Google and Apple app stores allow app makers to create trial periods for commercial/paid/subscription apps.
Users can install these apps and sign-up for a trial by giving the app permission to incur a charge on the user's Play Store or App Store account. Once the trial period ends, the user is charged automatically on their card and allowed to use the app.
Fleeceware apps take advantage of the fact that app makers can still charge users even after users uninstall the app from their devices.
App store policies allow app makers to create their own trial cancelation steps, and some app makers won't interpret uninstalling the app as a trial period cancellation but instead force users to go through complicated procedures.
But while some app makers have abused this loophole to charge users a few dollars for their apps, some unscrupulous app makers have been fleecing users for hundreds of dollars -- hence the term "fleeceware."
For example, last year, Sophos discovered more than 50 Android apps [1, 2], installed by more than 600 million users, that were abusing trial periods to charge exorbitant amounts of money for basic features that are usually available for
Most of these were flashlight apps, horoscope apps, and barcode scanners that were charging obscene fees ranging from $100 to $240 per year for the most basic of features.
"Like we have seen before, most of these fleeceware apps are image editors, horoscope/fortune-telling/palm readers, QR code/barcode scanners, and face filter apps for adding silly tweaks to selfies," said Sophos mobile malware analyst Jagadeesh Chandraiah, who's been looking into fleeceware apps since last year.
The researcher says he identified 32 iOS apps (see table at the end of this article) that charge up to $30/month or $9/week for simple features that are usually available for free. Some of these fees seem small, but they can add up to between $360 and $468 per year, Chandraiah warned.
Chandraiah says that by analyzing app reviews, it was clear that the apps relied heavily on online ads to drive traffic and installs, but then failed to provide any meaningful features, and later charged users when they didn't follow proper trial cancelation procedures.
The Sophos researcher says that many of the apps he identified as engaging in fleeceware-like behavior are some of the highest-grossing apps on the Apple App Store.
"It's debatable that the apps provide 'ongoing value to the customer,' as required in Apple's App Store Review Guidelines for app subscriptions, section 3.1.2(a)," Chandraiah said, suggesting that these apps should not be allowed on the App Store, in the first place.
However, the apps are still available for download at the time of writing. The Sophos researcher suggests that Apple may be allowing the apps to continue on its store because the company makes a commission from all app purchases.
Chandraiah recommends that device owners review their Google and Apple app subscription sections regularly to make sure they haven't been tricked into an unwanted subscription. See instructions below.
On your Android phone or tablet, open the Play Store.
Check if you're signed in to the correct Google Account.