Naked Security Naked Security

Fleeceware on your iPhone? Don’t get caught out while penned up at home

The app's free. But the subscription most certainly isn't!

Trying to keep your kids entertained?
Looking for something to take the “long” out of the forthcoming long weekend? (Ever thought you’d be worried about a weekend being “long”?)
Ready to try some new apps, just to see what they’ve got to offer?
If you are, please read the latest report from SophosLabs first, entitled Don’t let fleeceware sneak into your iPhone.
Ace Sophos researchers Jagadeesh Chandraiah and Xinran Wu have just published a followup to an investigation carried out last year into what we dubbed the “fleeceware” phenomenon on Google Play.
This time, we’ve turned our focus on fleeceware in the Apple App Store.
Fleeceware, in case you’re wondering, isn’t actually malware – the term refers to apps that offer you some sort of legitimate functionality, albeit very little, on a subscription model that’s not little at all.
In other words, the app is free…
…but the strings attached are not, and may end up being very expensive indeed.
The “trick” that many fleeceware apps use is to invite you to sign up for a trial subscription to “unlock” the app, with the proviso that if you don’t like it and you cancel within a few days – actually, it’s often just three days, which both Apple and Google permit – then you start getting billed.
Maximum subscription rates typically vary by region, but you could be on the hook for a weekly, monthly or even a yearly fee, billed in advance.

One of the Android apps we identified last year, for example, was a QR code reader that was little different from the one already built into your phone’s camera app that went for a whopping €104.99 even if you uninstalled the app straight after trying it and never used it again.
This time, SophosLabs has taken a look at the App Store, and as Jagadeesh explains it:

Many of the fleeceware apps we see are advertised within the App Store as “free” apps, which puts the apps at odds with section 2.3.2 of the App Store Review Guidelines, which require developers to make sure their “app description, screenshots, and previews clearly indicate whether any featured items, levels, subscriptions, etc. require additional purchases.”
If you think one of these apps is free and install it, the app presents you with a “free trial” notification immediately upon launching the app for the first time. This notification prompts the user to provide payment card details. In some cases, most of the useful features of the app will only be usable if you sign up for the subscription. Some users may sign up to subscribe without reading the fine print, which includes the actual cost of the subscriptions.

And those subscription costs can really add up:

Zodiac Master Plus, one of the apps on our list of fleeceware, is listed as the 11th highest revenue-generating app. Another app, named Lucky Life – Future Seer, is earning more revenue than even the extremely popular Britbox, one of the UK’s most popular subscription streaming TV services.

What to do?

Sadly, there are no shortcuts.

  • Always read the small print. Even, or perhaps especially, if it’s in a light grey font that’s hard to see.
  • Subscriptions don’t go with the app. The subscription goes with your Apple or Google account, and that’s where you need to go to cancel it. Deleting the app will leave you still signed up and still paying the fees.
  • Prefer apps where you get the trial before you sign up. Be wary of handing over your credit card at the start of the trial instead of the end.

For advice on how to check and cancel subscriptions from your iPhone or iPad, please head to the SophosLabs report.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Leave a Reply

Your email address will not be published. Required fields are marked *