'Fleeceware', And How 'Good Apps' Take Advantage Of Google Play Policy Loopholes

Policies on Google's Play Store are made with careful consideration and awareness. It takes more than just a group of people, but still, loopholes exist.

Google allows developers to market their apps as free trial, before charging the users of their apps a price after the trial period ends.

But according to Google's policy about canceling, pausing, or changing subscription on Google Play, uninstalling an app will not cancel the subscription.

This simple statement means that when users install an app with subscription, simply uninstalling it won't stop the subscription from commencing. To stop the billing, users need to first cancel the subscription, then uninstall the app.

In other words, without doing this, users will have to pay the price set by the developer of the app after the trial period.

Researchers at security firm SophosLabs, found that some Android app developers have been exploiting this loophole on free trial period to charge customers anywhere between $100 to $240 at the end of their short trial.

The researchers call this kind of fraud: 'fleeceware'.

Credit: SophosLabs

According to the researchers on their website post:

"The app developers take advantage of a business model available within the Play Market ecosystem in which users can download and use the apps at no charge for a short trial period. When the trial expires, if the user who downloads and installs one of these apps hasn’t both uninstalled the application and informed the developer that they do not wish to continue to use the app, the app developer charges the user."

"In the case of a normal app, this might cost only a few dollars; But the publishers or developers of the apps described in this post routinely charge users hundreds of dollars (or Euros, depending on the geographic region in which the user resides)."

What makes this 'fleeceware' unique is that, it doesn't contain any malicious code or malware. Some may even have useful functionality.

But what makes fleeceware apps fraud is that, they charge users hundreds of dollars for simple Android functionalities, like barcode reader, photo filter, or even a slightly tweaked calculator.

With that price, it's considered an expense nobody wants.

This makes fleeceware apps to exist in a categorical grey area: a place where apps aren't malware, and not potentially unwanted apps (PUA).

"It’s a business model that walks a fine ethical line, but it is apparently successful," said the researchers, adding that "with millions of installations, in some cases, if even a small percentage of users forgets to cancel their subscription before the trial period lapses, app creators can make significant money."

'We’ve coined the term fleeceware, because their defining characteristic is that they overcharge users for functionality that’s widely available in free or low-cost apps."

Credit: SophosLabs
"Because the apps themselves aren’t engaging in any kind of traditionally malicious activity, they skirt the rules that would otherwise make it easy for Google to justify removing them from the Play Market. Their developers also seem to be very good at staying under the radar from security vendors. Even so, there are other characteristics of these apps that make them less-than-desirable."

SophosLabs initially discovered a list of 15 apps engaged in this practice.

After contacting Google, the company's representatives told SophosLabs that it had decided to pull some of the apps from their store.

Initially, SophosLabs found that 14 of the 15 apps the researchers informed Google are removed. But when waiting for the last one to be removed, the researchers found another batch of apps, with even higher download counts than the first 15.

What makes matters worse is that, many reviews for the fleeceware apps showed that many of their users failed to unsubscribe. In the case of one QR code reader app, the developer charges users €104.99 after 72 hours. The makers of an app called Professional GIF Maker charge users €214.99 when the trial ends.

"We haven’t seen apps sold at this price before," said the researchers.

"We encourage Google to do more to tighten up their policies that, currently, do not explicitly prohibit app developers from taking advantage of this in-app purchasing loophole. Customers who experience buyer’s remorse may have no recourse to ask for refunds after a few days. If you aren’t very actively monitoring your credit card for charges like this, you might not notice until the window for refunds has closed," explained the researchers.