Google Play Found to Have 23 ‘Fleeceware’ Apps Luring Customers Into Paying Exorbitant Subscription: Sophos

Sophos researchers found developers using misleading language on their apps to overcharge and dupe unwary users on Google Play.

By Jagmeet Singh | Updated: 26 August 2020 18:46 IST

Google Play Found to Have 23 ‘Fleeceware’ Apps Luring Customers Into Paying Exorbitant Subscription: Sophos

Android users trapped by “fleeceware” apps often pay hundreds of dollars in subscriptions

Highlights

Sophos researchers said developers use a “rabbit hole” for users
Google Play updated its policies to restrict “fleeceware” apps
Sophos said despite the update, developers are still misleading users

Google Play contains at least 23 “fleeceware” apps that lure customers into paying exorbitant subscription fees, Sophos researchers revealed in a blog post. The new development comes over seven months after Sophos discovered a set of 25 Android apps that were fleecing users on Google Play. In response to that finding, Google has updated its developer policies with new directives. The research team at Sophos also said that despite roughly two months after the new directives in place, some developers are still ripping off users.

Sophos researchers said that in the course of their new research they were able to find developers using misleading language on their apps to overcharge and dupe unwary users on Google Play. Some developers were also found luring users into a “rabbit hole” and getting them to explore the app beyond the launch page and then bombard them with intimidating subscription offers that emerge even when they try to exit those apps.

Fleeceware creators on Google Play use a “blind subscription” model that doesn't detail the amount of subscription a user needs to pay to get an app, Sophos researchers highlighted.

Millions of Smartphones With Qualcomm DSPs Hit by Vulnerabilities: Report

“According to Google, ‘the offer emphasises the free trial, and users may not understand that they will automatically be charged at the end of the trial.' Publishers aren't allowed to do this anymore, but some still try,” researcher Jagadeesh Chandraiah wrote in the blog post.

In addition to blind subscriptions, some apps were found to have a “spam subscription” model where once a user signed up, they would be served with a bunch of different apps — apart from the one they've subscribed to. Chandraiah said that users sometimes unknowingly subscribe to such apps and spend hundreds of dollars.

Sophos researchers also found that in some cases, developers used a fine print of their terms and conditions to trick users visually and charge huge subscriptions in a misleading way.

'BlackRock' Android Malware Can Steal Banking Credentials, Says CERT-In

“While not exclusive to fleeceware, some apps that charge a subscription still display the costs or important terms literally in grey fonts on a white background, or using incredibly tiny fonts that virtually blend into the background of the subscription solicitation on a mobile device,” wrote Chandraiah.

Although Google updated policies after Sophos initially informed the company about fleeceware apps in September last year and published a similar report in January, 23 apps have been spotted on Google Play violating those policies and still containing fleeceware. These apps are found to charge as much as $249.99 (roughly Rs. 18,600) for an yearly subscription. You can see the full list of the apps discovered by the research firm below.

The list of 23 "fleeceware" apps available for download through Google Play
Photo Credit: Sophos

Some apps are found to have tweaked their interface and text used for the description, though they still charge quite high subscription prices. Google Play policies for subscription-based apps do restrict various behaviours, though Sophos researchers alleged that there isn't a rule to restrict how much an app can cost.

Google Removes 25 Android Apps Caught Stealing Facebook Credentials: Evina

“There is an upper limit on how much apps can charge; In the United States, that number is $400, and in many countries the maximum is set in the local currency at a roughly equivalent value, but there's a loophole,” said Chandraiah. “The rule doesn't specify the duration of the subscription that can charge that maximum amount.”

This was unlike Apple that clearly has a guideline for developers under which it could “reject expensive apps that try to cheat users with irrationally high prices”.

WhatsApp Users Targeted by WolfRAT Android Malware: Cisco Researchers

A Google spokesperson told Sophos researchers that “subscription costs are set at the discretion of the developer.” However, this is apparently resulting in the existence of fleeceware apps on Google Play.

Should the government explain why Chinese apps were banned? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.