Beware of fleeceware – when “free” does not really mean free

Author
Mirjam Burkard
Published
21. August 2020

There are rip-off apps in the app store, enticing people in with a free trial period, which after a short period of time is automatically converted into an expensive subscription. Fees are still charged even after the app has been deleted – the term for this is “fleeceware”. What is fleeceware’s business model and how can you protect yourself against it? You can find out in this blog article.

What is fleeceware?

Spyware, adware and malware are familiar terms, but what is fleeceware? Sophos researchers coined the term when they were investigating a group of apps which were charging users grossly inflated prices for simple applications. These apps lured people in with a trial period, which quickly turned into a paid subscription. The same or similar functions were often available in other apps at much lower prices, or even free of charge, for example, a pocket lamp app costing 10 Swiss francs per week or a barcode scanner for 100 Swiss francs per month. Other examples are simple photo and video filters or editors. A list of fleeceware apps can be found here.

Fleeceware apps can be found in the official app stores. They are tricky to spot, as there is usually no malicious code in the app and the user is not asked for unnecessary permissions – in a nutshell, there is nothing similar to malware that could be intercepted by Google and Apple security checks. Technically, they do not breach the app store rules as they do not contain any overt malware, and they are not PUAs (Possible Unwanted Applications). They fall into a grey area.

The fleeceware business model

App stores provide developers with the opportunity to make paid apps available free of charge to users for a trial period. The apps can then be uninstalled if you don't like it. However, the guidelines specify that first of all, the user must explicitly terminate the trial period. Just deleting the app is not sufficient to terminate the subscription. If this is not done, once the trial period is over, the app is considered to have been purchased.

Fleeceware apps flagrantly exploit this situation in the app store terms and conditions. They attract people with a free trial period, which after a short time, usually three days, is automatically converted into a paid subscription. Additional traffic is generated by paid advertising and the app reviews are often paid for. The terms and conditions are hidden in the small print or the app's terms of use. Virtually no one ever reads them, so often, many users only realise that they have entered into a subscription contract when it's too late. On top of that, many people don't understand that, to terminate the trial period, this will have to be explicitly communicated. They just assume that by uninstalling the app, this results in cancellation. In the meantime, the fees will continue to accrue.

Fleeceware apps often flout the standards set by Google and Apple on how in-app purchases and subscription fees have to be presented within the store. For example, users are offered a trial period, but as soon as they open the app for the first time, they are asked to make a payment, or they have to log in and provide their payment information before they can run the app.

A few years ago there were even iOS fleece applications related to TouchID. Users were tricked into confirming something in the background, but payment was approved. Since then, Apple has banned this kind of baiting. There is a new trend for fleeceware apps to switch from annual subscriptions to monthly or weekly fees so that payments are confused with other app or streaming subscriptions.

How can you protect yourself against fleeceware?

If an expensive product can be tried out free of charge, it will attract a great many users. Fleeceware uses this fact to its advantage. What’s more, there is a general reluctance to check GTCs closely. So how should you protect yourself from fleeceware? The following tips should be borne in mind when installing apps:

  • It is important to carefully read pop-ups and General Terms and Conditions. Often, by "accepting" it not only triggers a payment but also involves the transfer of a lot of personal data.
  • Apps with a free trial period which then are converted into a subscription should be checked for their termination policy. Frequently, it is not enough just to delete the app from the mobile device. For Android devices, this can be done under the Google Play account subscription management, or in iTunes for iPhones or iPads.
  • The automatic billing of accounts or credit cards should be forbidden.
  • It is also a good idea to have an effective security solution that flags up dubious applications before they can cause any harm. For example, Sophos Intercept X for mobiles is available at no charge from the Apple App Store and Google Play.
  • Apps should only be downloaded from official app stores like the Apple Store or Google Play. Apps on these platforms are regularly subject to security checks.
  • Only trustworthy apps should be installed, and the app and developer reviews should be carefully noted.
  • New apps should be carefully reviewed, especially with in-app advertising. 

Sooner or later, you are bound to come across a fleeceware app. Be suspicious of free trial periods and follow the tips above to avoid falling into the subscription trap. Then nothing will stand in the way of downloading.

We would be happy to continue providing you with information on current topics related to cyber security. Register now for our blog updates to make sure that you never miss a blog article again:

Subscribe Blog Updates now!

Share article