A new type of scam is successfully exploiting weaknesses in Google Play and Apple App Store to trick users into expensive subscription charges for generic apps with no unique functionality, security researchers have found.
Security vendor Avast compiled lists of 204 so-called 'fleeceware' applications for Google Android and Apple iOS mobile operating systems, and said the scam, which is targeting younger users, is increasing in popularity.
Apps such as image editors and camera filters are offered up in the app stores with short, free three-day trials after which steep subscription charges kick in.
Avast found weekly, monthly and annual charges being levied by the app vendors.
Most are in the US$4 to US$12 per week range, which adds up to US$208 to US$624 per year, but Avast also found one app that costs US$66 per week which is "a ludicrous US$3432 per year," the security vendor said.
Fleeceware scammers take advantage of users not fully understanding how app subscriptions work.
Users are often not aware that the high subscription charges continue even after an app is deleted; Google and Apple say they are not responsible for refunds after a certain period of time has passed.
Instead, Google and Apple redirect users wanting refunds for subscription charges to the app developers who in turn ignore the complaints, or refuse to return funds.
"All in all, it appears there is very little that victims can do in these scenarios other than contacting their bank and requesting a chargeback," Avast said.
Scammers are likely investing substantial amounts of money to advertise on social networks such as Facebook, Instagram, Snapchat and Tiktok, and creating fake reviews in the official app stores to promote the fleeceware.
The scam is very lucrative for the developers: the 134 iOS and 70 applications Avast found have brought in an estimated A$481 million and A$50 million respectively, with data indicating they have been downloaded approximately a million times.
Avast suggested that Google and Apple add a prompt to cancel subscriptions when users delete and uninstall apps, to help combat the scam.
Currently, Google warns of active subscriptions when apps are deleted; Apple puts up a prompt asking users if they wish to continue with their subscriptions.
Google and Apple could also add further confirmation of subscription charges after the free trial ends, and remove and filter out fake reviews.
Charges for in-app purchases are also opaque currently, and can be deceptive and even hidden, tricking users into thinking they are only signing up for free subscriptions, Avast warned.
Parents should secure their app store payment methods with passwords or biometrics and educate children about the costly dangers of fleeceware to prevent accidental subscriptions being taken out.
