SophosLabs Researchers Identify High-Grossing ‘Fleeceware’ Apps That Abuse Free Trials and Subscriptions

Jagadeesh Chandraiah of SophosLabs:

Since we began writing last year about the consumer-hostile trend in mobile apps that we’re calling fleeceware, the number of apps we’ve discovered that engage in this practice have only increased. In the first two articles we wrote about fleeceware, we covered various Android apps in the official Play Store charging very high subscriptions for apps of questionable quality or utility.

In this latest round of research, we found more than 30 apps we consider fleeceware in Apple’s official App Store.

Many of these apps charge subscription rates like $30 per month or $9 per week after a 3- or 7-day trial period. If someone kept paying that subscription for a year, it would cost $360 or $468, respectively. For an app.

Like we have seen before, most of these fleeceware apps are image editors, horoscope/fortune telling/palm readers, QR code/barcode scanners, and face filter apps for adding silly tweaks to selfies.

I downloaded a horoscope app to see what this world of fleeceware was like. Turns out it’s as bad as you might think. Immediately after launching the app, I was prompted to enter my Apple ID password. I tapped “cancel” and the app proceeded to run. I entered a name, a birthday, and a time of birth — for some reason — after which it scanned my “palm”. Then it asked for my Apple ID password again, so I tapped “cancel” again, and then it said that it could show me my horoscope results with a three-day free trial and, after that, would charge me $13.49 per week.

How could anyone pass up a deal like that?

Tapping the subscription button showed me the standard in-app purchase sheet, so I confirmed the purchase with Face ID. Then it prompted me for my Apple ID’s password again, so I tapped the cancel button again, after which I was shown a SwiftyStoreKit error. I tried the in-app purchase again and, with trepidation, entered my Apple ID’s password at the prompt. My trial was unlocked; I could at long last know what the stars and my palm have in store for me, or whatever.

I learned a few things while running this experiment:

  1. One advantage of requiring apps to use Apple’s own in-app purchases API is that all subscriptions are tied to an Apple ID and known at the system level. That means that Apple could theoretically solve the problem of erroneous subscriptions by notifying consumers when a free trial is expiring.

  2. Even though I ostensibly have a free trial for three days, the fine print suggests that I must cancel by day two or I will be charged for the first week.

  3. The system Apple ID password prompt still looks like a phishing scam. My understanding is that a developer could reproduce the overall look and feel of this dialog, but would be unable to read my Apple ID’s email address and the prompt would not persist after switching apps. So, while I am fairly confident that my password is not in the hands of some criminal enterprise, I will be changing it.

    This dialog is in desperate need of a redesign that clearly indicates that it is something that is generated by the system rather than an app. Perhaps the app could be shaded and zoom out slightly, as with the share sheet, and a sheet similar to the in-app purchase confirmation could prompt for the password. I’m not sure if this is the right solution, but it would more clearly indicate that this is a system-level action and that it’s safe to enter your password.

Ever since subscriptions have been opened up to all types of app, they have become a scammer’s best friend. When coupled with a free trial, there’s a low barrier to onboarding users and generating recurring revenue. Apps that offer subscriptions should be more closely scrutinized, particularly when the app is for jokey entertainment purposes or when there are a large number of negative reviews.

Update: Riley Tomasek pointed out that new rules are being imposed by Visa (PDF) regarding recurring payments. The requirements are set to go into effect on April 18, and seem to apply to vendors. I’m not sure there will be many changes in practice to App Store subscriptions, but Visa is now mandating that a reminder notification must be sent at least seven days in advance of a free trial ending — potentially meaning that free trials will need to be at least a week long.