Imagine an Android GIF-making app available on Google Play that automatically charges €214.99 ($253) to continue using it beyond its three-day trial period. Or how about a completely unremarkable QR code reader app, whose developer thinks that a charge of €104.99 is a fair price to continue using it 72 hours after it was downloaded. If you think these prices sound far-fetched, we have news – researchers at SophosLabs have discovered at least 15 apps which have been downloaded millions of times between them charging these extraordinary prices under Google’s nose. The most unexpected part of this discovery? By exploiting a loophole in the Play store licensing regime, this behaviour appears to be legal.
The scam works by exploiting the legitimate app behaviour of allowing users to download apps under a trial license period which, in this case, ends after a few days. There is nothing obviously malicious about the apps, which mostly work as advertised, albeit that their features are identical to advertising-supported apps that cost nothing. Importantly, the apps ask users to submit their payment details during the trial period, which most users probably assume won’t apply if they de-install the app. Because the huge annual subscription price is only mentioned in small print, users probably assume the cost will be a few dollars or euros. SophosLabs’ researchers discovered three apps charging €219.99 for full licenses, with another five charging €104.99, and one charging €114.99. One of these ‘fleeceware’ apps had more than 10 million downloads, two had 5 million, with the rest between 5,000 and 50,000.