It seems that Google Play isn't quite done dealing with malware apps that are plaguing its app store.
Android is one of the most popular mobile operating systems, used by billions of mobile devices around the globe. But Google somehow failed numerous times in policing its platform. And with that, 'fleeceware' apps are again found on the app store.
Sophos researchers said that at least 23 fleeceware apps that lure customers into paying exorbitant subscription fees, have been found.
Those malicious apps were found months after Google updated its policies and introduced new approaches to solve this kind of issue.
According to Sophos researcher in a blog post:
Read: 'Fleeceware', And How 'Good Apps' Take Advantage Of Google Play Policy Loopholes
Google's updated directives do help.
Because app developers must design their apps to inform users about the true terms and cost of their subscription through the Android Play Store, Google did managed to address the issue. Unfortunately, some still slipped through the crack by exploiting a loophole.
The malicious developers have developed some new tricks to bypass those directives. According to the researchers at Sophos, they include:
- Blind subscription: The researchers found that many of the fleeceware apps prompt users to immediately start the subscription using a button labeled ‘Try FOR Free’ or ‘Start Free’, before displaying the complete billing details, or giving users a way to find out what they are before starting the subscription.
In other words, all users know is that they've signed up, but don't know for how long or for how much.
- Spam subscription: This method involves the app allowing a free trials, but will eventually lead users into a rabbit hole, where once they've signed up, they will find themselves subscribed to a bunch of different apps. This is because the fleeceware advertise one another.
- Termoflauging: This method violates Google's policy because it uses tricks to visually conceal the Terms and Conditions section. For example, it uses grey font over white background, or use incredibly small font that is not easy to read.
The list of 23 fleeceware apps available for download through Google Play Store. (Credit: Sophos)These apps are found to charge as much as $249.99 for an yearly subscription.
Developers know that they have a limit into how much they can ask for the subscription fee. In the U.S. for example, apps can only as $400 at most. In many other countries, the maximum is set in the local currency at a roughly equivalent value.
The loophole happens because “the rule doesn't specify the duration of the subscription that can charge that maximum amount,” said Jagadeesh Chandraiah, a nine-year veteran of SophosLab.
In this case, malicious developers creating the apps can exploit the loophole to charge $400 a year, $400 a month, or $400 a week.
"Any developer can take advantage of this loophole to charge you hundreds of dollars per week," the researcher said.
A Google spokesperson told Sophos researchers that “subscription costs are set at the discretion of the developer.” However, this is apparently resulting in the existence of fleeceware apps on Google Play.
It should be noted that Google has made progress in making its platform safer for its users, by introducing consumer-friendly improvements to cut down malicious apps from plaguing its Play Store. In this case, Google must do better in controlling over pricing.