Fleeceware is one of the worst scams you can deal with on your device, because it has one, singular goal: extracting as much money from you as possible. It generally accomplishes this not by dropping malware on your device or otherwise forcing you to do something; instead, fleeceware hides in plain sight, relying on a user’s misunderstandings or carelessness to rack up big charges.
Worse, most app stores have a tougher time flagging these apps — if they do at all — because they don’t contain bad malware. They’re just bad actors, and a developer is free to sell apps and services for whatever prices they want. As long an app is playing by an app store’s rules, the practice of misguiding users into making a $100 purchase of a bogus in-app purchase, for example, isn’t often something that’s easily caught without a number of people flagging the app or complaining directly. Even then, that might not be enough to force an app’s removal.
[referenced id=”1051229″ url=”https://www.lifehacker.com.au/2021/03/please-stop-using-text-messaging-to-receive-login-codes/” thumb=”https://www.gizmodo.com.au/wp-content/uploads/sites/4/2021/03/18/qhyst25pd38izaqmdl2k-300×168.jpg” title=”Please Stop Using Text Messaging to Receive Login Codes” excerpt=”This week, a stunning story from Vice revealed how easy it is for an attacker to siphon away your text messages. They don’t need access to your phone; they don’t even need your SIM card. They just need to pay a trivial sum, convince a VoIP wholesaler that they’re a…”]
Avast recently discovered 204 fleeceware applications living on Apple and Google’s app stores. Given how many apps are out there, this doesn’t sound like a big deal until you look at the other statistics: more than one billion total downloads and over $US400 ($523) million in revenue made. Yuck.
The fleeceware applications discovered consist predominantly of musical instrument apps, palm readers, image editors, camera filters, fortune tellers, QR code and PDF readers, and ‘slime simulators’. While the applications generally fulfil their intended purpose, it is unlikely that a user would knowingly want to pay such a significant recurring fee for these applications, especially when there are cheaper or even free alternatives on the market.
It appears that part of the fleeceware strategy is to target younger audiences through playful themes and catchy advertisements on popular social networks with promises of ‘free installation’ or ‘free to download’. By the time parents notice the weekly payments, the fleeceware may have already extracted significant amounts of money.
So, how do you know if you’ve been suckered? For starters, check your purchases and active subscriptions:
iOS
- To check past purchases: App Store > Apple ID (upper-right corner) > Purchased
- To check past purchases (with payments): App Store > Apple ID (upper-right corner) > Apple ID (your name/email address) > Purchase History (Scroll down a bit)
- To check active subscriptions: App Store > Apple ID (upper-right corner) > Subscriptions
Android
- To check past purchases (with payments): Play Store > Hamburger icon (upper-left corner) > Account > Purchase history
- To check active subscriptions : Play Store > Hamburger icon (upper-left corner) > Subscriptions
You’ll be able to quickly see if you’ve made any in-app purchases that look suspicious after-the-fact. Similarly, if you’re signed up for any expensive subscriptions that you haven’t already noticed via your monthly credit card statements, you’ll be able to see them clearly. And it goes without saying, but if you’re paying regular money to access something you don’t need, cancel the subscription.
[referenced id=”1051765″ url=”https://www.lifehacker.com.au/2021/03/turn-your-laptop-into-a-free-surveillance-cam-with-this-site/” thumb=”https://www.gizmodo.com.au/wp-content/uploads/sites/4/2021/03/23/hzxtmyziggxsoksrqyfe-300×168.png” title=”Turn Your Laptop Into a Free Surveillance Cam With This Site” excerpt=”As a pet owner, you’ve likely come home or woken up to find some evidence of late-night shenanigans around your living space. Fortunately, though, if you’d like to set up some quick surveillance for a particular area (maybe you have nosy roommates, or you’re going out of town and are…”]
Of course, a better route is to avoid fleeceware in the first place. It’s pretty easy to avoid bogus apps on Android and iOS, but I’m also pretty tech-avoidant in that regard: I don’t click or tap on ads for apps, nor do I download apps that have bad ratings, poorly written reviews, or whose descriptions or screenshots just look off. And if I’m ever confronted with a “pay to unlock” or “pay to subscribe” — sometimes even just a free trial — I tend to ditch the app. Unless I’m reviewing them for Lifehacker, I only pay for apps that have been critically reviewed or recommended by others.
Of course, you can always check to see what in-app purchases an app offers via its product page on the Google Play Store or Apple App Store. If a seemingly ho-hum app offers $US500 ($654) subscriptions, odds are good that you don’t need it on your phone to begin with.
And, of course, be wary of something that seems too good to be true. Check details before signing up, especially the terms of things like free trials (a few days? a week? a month?), subscription billing (every week? every month?), price changes (X for one period of time, Y for another), and blatant bait-and-switches (one advertised price in the app, but an actual, much-higher price in the pop-up payment window that appears). You might have to go sleuthing within an app — including scanning for tiny, almost-hidden text — to get the truth.
When in doubt, if you’re doing a lot of work to verify an app and its legitimacy, that should be a sign that something is wrong. Great apps make it very easy to see what you’re buying and what you’re getting; scammy apps try to confuse you. Unfortunately, poorly designed but honest apps can fall somewhere in the middle, but ask yourself: Do you really need these on your device? Surely there’s a compelling alternative that’s not as difficult.
Leave a Reply
You must be logged in to post a comment.