Site icon Sophos News

Truth-in-advertising policy fails to curb fleeceware

In June, Google updated its developer policies, adding new directives to how apps must inform consumers about the true terms and cost of subscription-based apps licensed through the Android Play Store. These changes address some of the issues that characterize apps we refer to as fleeceware.

In previous coverage of fleeceware, we showed examples of app subscription sign-up pages that had been designed to make it hard to read the terms of the app subscription. The new Google-issued rules are designed to address some forms of deceptive marketing display copy, but they also have some loopholes that permit other behavior some might consider unscrupulous.

The new terms and conditions for developers who wish to distribute their app through the official Play Store require their publishers to comply with the following directives:

As of the publication of this article, the policy has been in place for roughly two months. Of course, we were able to find some developers who hadn’t fully implemented the changes to their app that the platform required. Some of the app publishers subsequently released policy-compliant apps, but Google removed a few from the Play Store, too.

Some of the policy violations shown on these screens include: the absence of a dismiss button; billing details and terms are very small and printed on a very light font that makes it almost unreadable.

Fleeceware’s new tricks

Unfortunately, we’ve found a lot of apps that appear to violate these new policies. Here are a few different grifts:

Blind Sub

When we ran samples of these apps, many of the apps prompt the user to immediately start the subscription, using a button labeled ‘Try FOR Free’ or ‘Start Free’ — before displaying the complete billing details, or giving users a way to find out what they are before starting the subscription.

Call it a blind subscription: All you know is, you’ve signed up, but not for how long or how much. According to Google, “the offer emphasizes the free trial, and users may not understand that they will automatically be charged at the end of the trial.” Publishers aren’t allowed to do this anymore, but some still try.

Spam Sub

There’s a few free trial versions of apps we tried recently that displayed the screens shown below, among others. This led down an interesting rabbit hole to something we’ll call a spam subscription. You sign up once, and find yourself subscribed to a bunch of different apps as the fleeceware apps advertise one another.

Users sometimes unknowingly subscribe to hundreds of dollars worth of app subscriptions by clicking buttons like these.

In one such instance (the Photo collage & Grid photo editor app above) the offer consists solely of the highly informative  ‘Try For Free (3 days trial)’ and…nothing else. Neither billing details nor frequency was forthcoming until you might find out it could cost you $200 a year.

Termoflauging

This fleeceware-adjacent policy violation is about the use of tricks to visually conceal the terms & conditions. While not exclusive to fleeceware, some apps that charge a subscription still display the costs or important terms literally in grey fonts on a white background, or using incredibly tiny fonts that virtually blend into the background of the subscription solicitation on a mobile device. In so doing, the publishers perform the letter, but not the spirit, of the rules – they display the full subscription details in a way that the eye trying to read it just naturally wants to glaze over.

On top of the visual impediments, in some cases the provided information is just misleading. But more often than not, it’s just shockingly accurate. The Montage app (below) displays the following terms on its solicitation page:

3 Days Free. Then $89.99/week. Cancel at anytime

This was the finest of fine print, in an almost imperceptible wisp of a font that almost looked like a horizontal line in the advertisement

Price is still a problem

Unlike some fleeceware apps which blatantly violate Google policies, some apps have adapted to changes. They have tweaked some buttons and the text used for its description. But they still charge very high subscription prices, like the $89.99 per week app shown above, Montage.

By the way, the Montage app displays wallpapers, changing the phone background image to something new, for $360 a month. More car payment than subscription. How many grande lattes with an extra shot are you willing to buy someone else, per day, just so they can provide you with fresh new background images? Three? Six?

Google’s Play Store policies for subscription-based apps restrict a wide range of behavior, one behavior it doesn’t restrict is how much an app subscription can or should cost. There is an upper limit on how much apps can charge; In the United States, that number is $400, and in many countries the maximum is set in the local currency at a roughly eqivalent value, but there’s a loophole. The rule doesn’t specify the duration of the subscription that can charge that maximum amount. Is it $400 a year, $400 a month, or $400 a week? Any developer can take advantage of this loophole to charge you hundreds of dollars per week.

As an aside, it was interesting to discover that, in eight countries, Google’s maximum allowable subscription charge was one or another form of “1337” – a number with geek-cred significance.

Apple changed its app store review guidelines recently, and added additional restrictions that effectively bans apps that come with, in Apple’s words, irrationally high prices. In summary, Apple informs its developer audience:

And while pricing is up to you, we won’t distribute apps and in-app purchase items that are clear rip-offs. We’ll reject expensive apps that try to cheat users with irrationally high prices.

We have not come across any such policies for Google play store. When we reported Google about these high-priced apps, a Google spokesperson told us “subscription costs are set at the discretion of the developer.”

Among the list of apps we reported to Google, the company declined to take action on all but a few, and in those cases, the apps changed how they display the free trial description and terms, removing the only violations. Publishers, at their discretion, may charge unconscionably high subscription prices so long as they abide by these anti-deceptive practices in their promotions.

We understand it’s difficult to provide a fixed price for a app service, but when the app is subjected to review, surely reviewers can easily separate a dodgy looking photo editor charging $90 per week from a reputable developer charging a fair price for an app with professional or premium features.

These screens come from different-but-oddly-similar wallpaper apps which all charge the oddly specific $89.99 per week. The publisher who has done this also tweaked the button text so it reads Start Subscribe, and the fine print text is the same, too (with hyphenation and spacing goofs): “3 Day-Free Trial,  then$89.99/week. Cancel at any time”

Netflix charges $16 per month for its premium service. These wallpaper apps cost the same as 22.5 Netflix subscriptions per month. The description may have some details in fine print, but vulnerable users like kids and the elderly are more susceptible to a grift like this, and more likely to lose some money.

Getting more aggressive

We’ve noticed some apps have moved the screen that solicits the user to sign up for a trial subscription to be triggered at different times, and unusually, not when the app first starts up. The delay may serve a role in ingratiating the app to the user.

Some apps require you to watch an ad – usually a video – before they allow the user to access some features. That’s fair enough, but we experienced glitchy behavior: the app would repeatedly display the subscription solicitation page when you try to access any features at all, or if you try to navigate away from watching an ad.

In the example below, several horoscope apps are trying to sign up subscriptions worth more than $70 per week – not when you press the subscribe button, but when you press the ‘back’ button on your phone. This app claims to have a ‘core technology’ that, somehow, leads to improved horoscope outcomes.

No matter how sophisticated the horoscope technology, charging users of a horoscope app in the range of $300 a month is unethical. Allowing these apps on the Play Store undermines the trust users feel towards the subscription model for apps as a whole.

Many legitimate developers use the subscription model to license their mobile apps. For a while, there were more fleeceware subscription apps in app stores than legitimate subscription apps, but that has been slowly changing. However, if the abuse of the subscription model continues unabated, it may cease to be a viable business model for legitimate developers to want to be involved in, because the user’s whole experience could be tainted by their interaction with fleeceware.

The consumer friendly improvements made by both Apple and Google since we began reporting on fleeceware apps  have been good, but there is still room for improvement. Both Google’s and Apple’s store platforms have control over the entire life cycle of the app, including subscription collection, and payment processing and reconciliation. But these stores’ biggest problem right now seems to be the lack of control over pricing. A video editor or a horoscope charging hundreds of dollars for temporary access seems…irresponsible.

After the user uninstalls fleeceware apps , they get emailed information about unsubscribing from the subscription. Perhaps app stores could directly unsubscribe the user automatically for any recently uninstalled apps, instead of making the user manually doing it.

Want to report fleeceware apps ?

Have you spotted fleeceware app on Google Play store or iOS App store that you would like to report to us, then please email our Labs team with a link to the fleeceware app.

Last but not least, be wary of apps that have short trial and high costs. If you want to unsubscribe from an app trial, please follow the instructions provided by Apple for iOS users or by Google for Android users.

Want to know about fleeceware apps ?

We will be talking about fleeceware apps in detail at the Virus Bulletin  security conference this fall. The VB conference is virtual and is free to register this year, and includes other great talks from our industry friends.

Some of the fleeceware we found on the Play Store includes:

Package name Subscription charge Revenue*
com.photoconverter.fileconverter.jpegconverter $249.99/€224.99/year $8k
com.recoverydeleted.recoveryphoto.photobackup $249.99/€224.99/year $60k
com.screenrecorder.gamerecorder.screenrecording $249.99/€224.99/year $10k
com.photogridmixer.instagrid $229.99/€219.99/year $5k
com.compressvideo.videoextractor $229.99/€219.99/year $10k
com.smartsearch.imagessearch $229.99/€219.99/year $30k
com.emmcs.wallpapper $89.99/week $20k
com.wallpaper.work.application $89.99/week $30k
com.gametris.wallpaper.application $89.99/week $30k
com.tell.shortvideo $89.99/week $10k
com.csxykk.fontmoji $89.99/week $40k
com.video.magician $89.99/week $30k
com.el2020xstar.xstar $89.99/week $10k
com.dev.palmistryastrology $69.99/week $5k
com.dev.furturescope $69.99/week $90k
com.fortunemirror $69.99/week $20k
com.itools.prankcallfreelite $44.99/year $5k
com.isocial.fakechat $45.99/year $5k
com.old.me $94.99/year $5k
com.myreplica.celebritylikeme.pro $12.99/€10.99/week $5k
com.nineteen.pokeradar Pay per install
com.pokemongo.ivgocalculator Buggy app
com.hy.gscanner $79.99/year $5k

 

Exit mobile version