Sophos, the security firm that coined the term fleeceware, found 25 such apps on Google Play in January that had a combined total of more than 600 million downloads. At the beginning of April, the researchers highlighted 30 apps in the iOS App Store that they say fall under the category."In our capitalistic society, you can look at fleeceware apps and say if somebody wants to waste $500 per year on a flashlight app that’s up to them," says Sophos senior security advisor John Shier. "But it’s just the exorbitant price that you’re being charged and it's not done above board. That to me is not ethical."Fleeceware schemes often crop up in the same genres of apps that are used for other mobile scams and attacks. These are generally benign-looking tools like simple photo and video filters and editors, horoscope apps or fortune telling tools, QR code and barcode scanners, or utilities like flashlights and custom keyboards. The Sophos researchers also suspect that fleeceware developers use zombie accounts to post five-star reviews or inflate their download numbers in Google Play to make their offerings look more legitimate.
Reed points out that some iOS fleeceware apps a couple of years ago tricked users into confirming something that looked minor using Apple's TouchID , but really approved a payment behind the scenes. Apple has since banned this type of bait-and-switch.
The WIRED Guide to Data BreachesEverything you ever wanted to know about Equifax, Mariott, and the problem with social security numbers.
In spite of Apple and Google's rules around in-app purchases, fleeceware developers can still lure people into making purchases through their Apple and Google accounts, or even just collect their credit card information directly without oversight. Sophos researchers say that many of the fleeceware apps they saw last fall charged an annual subscription, but that scammers are increasingly moving to monthly or weekly payments. That's likely an attempt to reduce sticker shock, enable fraudsters to charge more over time, and try to make the payments blend in with the other streaming services and legitimate app subscriptions people already have.