What Is Fleeceware and How Can You Protect Yourself?

It's always safer to download mobile apps from official stores like Google Play and Apple's iOS App Store, but even then there's still some risk that malicious apps have snuck in. You've already heard of spyware, adware, and malware writ large, but now there's another flavor of sketchy app to worry about: fleeceware.Fleeceware is tricky, because there's typically nothing malicious in the code of the offending apps. They don't steal your data or try to take over your device, meaning there's nothing malware-like for Google and Apple's vetting process to catch. Instead, these scams hinge on apps that work as advertised but come with hidden, excessive subscription fees. A flashlight app that costs $9 per week or a basic photo filters app that's $30 per month would both be fleeceware, because you can get the same types of tools for free, or much cheaper, from other apps.
Sophos, the security firm that coined the term fleeceware, found 25 such apps on Google Play in January that had a combined total of more than 600 million downloads. At the beginning of April, the researchers highlighted 30 apps in the iOS App Store that they say fall under the category."In our capitalistic society, you can look at fleeceware apps and say if somebody wants to waste $500 per year on a flashlight app that’s up to them," says Sophos senior security advisor John Shier. "But it’s just the exorbitant price that you’re being charged and it's not done above board. That to me is not ethical."Fleeceware schemes often crop up in the same genres of apps that are used for other mobile scams and attacks. These are generally benign-looking tools like simple photo and video filters and editors, horoscope apps or fortune telling tools, QR code and barcode scanners, or utilities like flashlights and custom keyboards. The Sophos researchers also suspect that fleeceware developers use zombie accounts to post five-star reviews or inflate their download numbers in Google Play to make their offerings look more legitimate.
Reed points out that some iOS fleeceware apps a couple of years ago tricked users into confirming something that looked minor using Apple's TouchID , but really approved a payment behind the scenes. Apple has since banned this type of bait-and-switch.This image may contain Electronics, Computer, and Pc

The WIRED Guide to Data Breaches

Everything you ever wanted to know about Equifax, Mariott, and the problem with social security numbers.

In spite of Apple and Google's rules around in-app purchases, fleeceware developers can still lure people into making purchases through their Apple and Google accounts, or even just collect their credit card information directly without oversight. Sophos researchers say that many of the fleeceware apps they saw last fall charged an annual subscription, but that scammers are increasingly moving to monthly or weekly payments. That's likely an attempt to reduce sticker shock, enable fraudsters to charge more over time, and try to make the payments blend in with the other streaming services and legitimate app subscriptions people already have.