Imagine an Android GIF-making app available on Google Play that automatically charges €214.99 ($253) to continue using it beyond its three-day trial period.
Or how about a completely unremarkable QR code reader app, whose developer thinks that a charge of €104.99 is a fair price to continue using it 72 hours after it was downloaded.
If you think these prices sound far-fetched, we have news – researchers at SophosLabs have discovered at least 15 apps which have been downloaded millions of times between them charging these extraordinary prices under Google’s nose.
The most unexpected part of this discovery? By exploiting a loophole in the Play store licensing regime, this behaviour appears to be legal.
Getting away with it
The scam works by exploiting the legitimate app behaviour of allowing users to download apps under a trial license period which, in this case, ends after a few days.
There is nothing obviously malicious about the apps, which mostly work as advertised, albeit that their features are identical to advertising-supported apps that cost nothing.
Importantly, the apps ask users to submit their payment details during the trial period, which most users probably assume won’t apply if they de-install the app.
Because the huge annual subscription price is only mentioned in small print, users probably assume the cost will be a few dollars or euros.
SophosLabs’ researchers discovered three apps charging €219.99 for full licenses, with another five charging €104.99, and one charging €114.99.
One of these ‘fleeceware’ apps had more than 10 million downloads, two had 5 million, with the rest between 5,000 and 50,000.
There doesn’t appear to be any easy way to recover the money either using chargeback or refunds.
SophosLabs malware analyst, Jagadeesh Chandraiah, with admirable understatement, said:
We haven’t seen apps sold at this price before.
When Naked Security covers stories of rogue apps in the Play store Google often doesn’t seem to notice the problem at all until researchers report the apps for malicious or exploitative behaviour.
The failure to spot what’s going on does seem to be an issue here too – SophosLabs offers examples of Play store users complaining about fleeceware apps, apparently without anyone higher up noticing this.
For example, the user who headlined their one-star app review “SCAM THAT TAKES YOUR 95 DOLLARS!!!,” before suggesting “take this app down Google.”
So far, the company also hasn’t clarified whether apps offered under trial with very high licensing prices might breach in-app policies.
Google didn’t notice the bad reviews, or high prices, until Sophos Labs alerted them to the issue, although last week 14 of the 15 named by SophosLabs were removed. Unfortunately, says Chandraiah…
A subsequent search revealed another batch of apps, with even higher download counts than the first, still available on the Play Market.
Which suggests this app behaviour might be what is called a ‘grey area’.
Because the apps themselves aren’t engaging in any kind of traditionally malicious activity, they skirt the rules that would otherwise make it easy for Google to justify removing them from the Play Market.
Perhaps this is simply an extreme case of caveat emptor (buyer beware). But on the app store of the world’s largest mobile operating system maker, users should surely never find themselves being charged hundreds of euros for an unremarkable GIF utility.