fleeceware.png

Security researchers from Sophos say they've discovered a new set of "fleeceware" apps that appear to have been downloaded and installed by more than 600 million Android users.

The term fleeceware is a recent addition to the cyber-security jargon. It was coined by UK cyber-security firm Sophos last September following an investigation that discovered a new type of financial fraud on the official Google Play Store.

It refers to apps that abuse the ability for Android apps to run trial periods before a payment is charged to the user's account.

By default, all users who sign up for an Android app trial period, have to cancel the trial period manually to avoid being charged. However, most users just uninstall an app when they don't like it.

The vast majority of app developers interpret this action -- a user uninstalling their app -- as a trial period cancelation and don't follow through with a charge.

But last year, Sophos discovered that some Android app developers didn't cancel an app's trial period once the app is uninstalled and they don't receive a specific request from the user.

Sophos said it initially discovered 24 Android apps that were charging obscene fees (between $100 and $240 per year) for the most basic and simplistic apps, such as QR/barcode readers and calculators.

Sophos researchers called these apps "fleeceware."

In a new report published yesterday, Sophos said it discovered another set of Android "fleeceware" apps that have continued to abuse the app trial mechanism to impose charges to users after they uninstalled an app.

These apps were installed by more than 600 million users. The number seems high, but Sophos mobile malware analyst Jagadeesh Chandraiah said he suspects the apps might have used third-party pay-per-install services to boost install counts and then bought fake five-star reviews to boost their ranking on the Play Store and attract a large number of users.

It's very likely that not all users who installed these apps signed up for a trial period, but those who did might want to check their Play Store payment history for any charges coming from past, now-uninstalled apps.

The table below contains the names and other indicators for the 25 Android apps which Sophos says are engaging in fleeceware behavior. One of the apps -- the GO Keyboard Lite keyboard app -- has a history of shady behavior. Back in 2017, this app was caught sending back the text users were typing on their devices to servers in China.

sophos-fleeceware-round-2.png
Image: Sophos