Imagine an Android GIF-making app available on Google Play that automatically charges €214.99 ($253) to continue using it beyond its three-day trial period.
Or how about a completely unremarkable QR code reader app, whose developer thinks that a charge of €104.99 is a fair price to continue using it 72 hours after it was downloaded.
If you think these prices sound far-fetched, we have news – researchers at SophosLabs have discovered at least 15 apps which have been downloaded millions of times between them charging these extraordinary prices under Google’s nose.
The most unexpected part of this discovery? By exploiting a loophole in the Play store licensing regime, this behaviour appears to be legal.
Getting away with it
The scam works by exploiting the legitimate app behaviour of allowing users to download apps under a trial license period which, in this case, ends after a few days.
There is nothing obviously malicious about the apps, which mostly work as advertised, albeit that their features are identical to advertising-supported apps that cost nothing.
Importantly, the apps ask users to submit their payment details during the trial period, which most users probably assume won’t apply if they de-install the app.
Because the huge annual subscription price is only mentioned in small print, users probably assume the cost will be a few dollars or euros.
SophosLabs’ researchers discovered three apps charging €219.99 for full licenses, with another five charging €104.99, and one charging €114.99.
One of these ‘fleeceware’ apps had more than 10 million downloads, two had 5 million, with the rest between 5,000 and 50,000.
There doesn’t appear to be any easy way to recover the money either using chargeback or refunds.
SophosLabs malware analyst, Jagadeesh Chandraiah, with admirable understatement, said:
We haven’t seen apps sold at this price before.
When Naked Security covers stories of rogue apps in the Play store Google often doesn’t seem to notice the problem at all until researchers report the apps for malicious or exploitative behaviour.
The failure to spot what’s going on does seem to be an issue here too – SophosLabs offers examples of Play store users complaining about fleeceware apps, apparently without anyone higher up noticing this.
For example, the user who headlined their one-star app review “SCAM THAT TAKES YOUR 95 DOLLARS!!!,” before suggesting “take this app down Google.”
So far, the company also hasn’t clarified whether apps offered under trial with very high licensing prices might breach in-app policies.
Google didn’t notice the bad reviews, or high prices, until Sophos Labs alerted them to the issue, although last week 14 of the 15 named by SophosLabs were removed. Unfortunately, says Chandraiah…
A subsequent search revealed another batch of apps, with even higher download counts than the first, still available on the Play Market.
Which suggests this app behaviour might be what is called a ‘grey area’.
Because the apps themselves aren’t engaging in any kind of traditionally malicious activity, they skirt the rules that would otherwise make it easy for Google to justify removing them from the Play Market.
Perhaps this is simply an extreme case of caveat emptor (buyer beware). But on the app store of the world’s largest mobile operating system maker, users should surely never find themselves being charged hundreds of euros for an unremarkable GIF utility.
11 comments on “‘Fleeceware’ Play store apps quietly charging up to $250”
Which one did they NOT take down? And why?
he he, finallyyyyyyy, Google have removed all the apps now.
One more good reason to not link a credit card to play store (or anything else like that, paypal, itunes, amazon, etc).
I use a reloadable prepaid card with a limited balance with my google account.
I use Citi’s “virtual card numbers” where I can set a max charge limit, for anything I buy online.
That would include if I were to sign up for some “trial” – I would set the max charge to a few bucks…
And NEVER download an app that asks for your credit card info unless you fully intend to buy the thing.
Since when does Google have to justify anything they do 🤔
They’ve removed perfectly legitimate apps for no reason before so…
These apps are pure scum but there is nothing quiet about how it charges you. It’s not small print – it’s regular sized. And there is a notification when you uninstall the app that tells you that you are still subscribed.
You can be legal and still rip people off.
Doen’t Google review app policies as well as code?
Goog gets their money, so they don’t care. They should invest some of the huge percentage they charge sellers into monitoring the store, but nah, it hurts profits. That’s expecting to much from a company that has been called to congress for election tampering among other anti-trust issues.
this is just what Google encouraged developers to do
This just happened to me with two separate, unknown apps charging me $220 EACH for subscriptions. Problem is, it’s not downloaded in any device when I checked. I discovered it within roughly an hour or two after the charges were made because I coincidentally had to check my acct for something else. Immediately I reported the fraud for a refund. Now I just have to wait I guess for google to investigate.. reading reviews in the apps, multiple folks were told no refund because someone else may have downloaded, like a child. This could very well be possible in my case, I suppose, however I have password protection for any and all purchases, so it blows my mind how it could have happened, regardless. Can the app charge, unauthorized, later as a “subscription” and bypass the payment security entirely? Because those apps download free. Any parent could easily wake up with a drained bank account, despite their additional security efforts.