Hacker News new | past | comments | ask | show | jobs | submit login
‘Fleeceware’ apps overcharge users for basic app functionality (sophos.com)
107 points by GiulioS on Sept 26, 2019 | hide | past | favorite | 79 comments

Similar abuse occurs in Apple's ecosystem as well. It was really easy to subtly sign someone up for a $99/week subscription, but I'm not sure if this is still the case. A lot of these scam apps appeared regularly in the App Store's "Top Grossing" charts — easily millions of dollars every month were/are going to these kinds of apps.

This is an interesting example of incentive alignment — in some sense, it's in Apple's best interest to let this abuse slide since they're also profiting off of it (though obviously that's not a long-term, deliberate strategy).

This article covers it well: How to Make $80,000 Per Month on the Apple App Store (https://medium.com/@johnnylin/how-to-make-80-000-per-month-o...)

One of my kids managed to somehow bypass the restrictions I'd put in place on their device and signed up to a subscription that was a free three day trial, after which it would cost $79 per year.

Luckily I also get emailed whenever there's activity on the account.

Kid can't remember doing it, doesn't know how they did it, was upset at themselves.

Device is locked down even harder now - as a result of looking up all the myriad settings to stop scams getting through and credit card details removed from the account.

It should be hard to subscribe and easy to lock down. Not the opposite. The default should be "no spend". And this is from our heroes of privacy: Apple.

(Not Apple bashing here; entire industry bashing. They're all grossly immoral no matter how legal it all is)

Apple has gotten better at these things, now you can set up a kid's device to forward all requests to purchase apps or IAPs to the parent's device which has to approve it.

I also don't remember it being very hard to lock down purchasing using parental controls in older versions of iOS, if you don't mind me asking which version of iOS was the kid running?

iOS version, I'm not sure precisely, maybe two versions back from whatever is current.

The device was / is setup using my account since I'm not ready to let them have their own account - whether it's a child account or otherwise. I don't use iDevices though, so there's no security compromise between what I want to be able to with the account and what restrictions I want on the kids.

I had specified a password was required for any purchase, and to my knowledge this was still the case when the incident occurred. The additional locking down was done via the (relatively new at the time) Screen Time restrictions, plus requiring a password for ANY app installs (free or paid).

My assumption (and that's all it is) is that because the trial was free, it was allowed without a password, where the "gotcha" is the auto-pay upon trial expiry. I also assume that this subscription process was started due to an in-game advertisement dark pattern that lead towards unknowningly signing-up.

(I will accept without argument some amount of blame on the "bad parent deserved it for not observing their kids' device activity" spectrum. Also if there are additional restrictions on children's accounts - but I have my own squeamishness about setting up account details for a minor)

I don't think this reflects badly on you at all, until very recently it was really hard to have an account with restrictions somewhere in the middle of 100% free and 100% locked down. Even now it can be pretty confusing. I personally would put the blame on the app devs for the dark patterns and Apple for not vetting it properly

I don't know about earlier versions, but iOS 12 and newer definitely require a password (or Touch ID / Face ID) for starting a free trial subscription, and even for downloading a free app unless you turn that off.

Apple Arcade is their solution to this. Pull the pressure off developers to build IAP's into their apps and see the quality of app increase.

It wasn't too hard to pull off this trick with Touch ID devices - you put your finger on the home button and before it goes back to the home screen it authenticates the purchase with your fingerprint. Apple has put some measures in place to prevent this from happening, or at least notify you immediately about the purchase if you leave the app before it's completed.

Since the iPhone X with Face ID, you have to double tap the side button to authorize a purchase, so it's not so easy anymore.

Fortunately, you can get a refund within 14 days, no questions asked, by going to reportaproblem.apple.com and choosing "I would like to cancel this purchase".

If you're outside the EU or it's been longer than 14 days, you can try the "I would like to request a refund" option - you will be either refunded automatically or it will be sent to Apple support for review and they'll get back to you within 48 hours. I've actually had luck with refunding an app and an IAP even when someone manually reviewed it, but YMMV.

How are these apps getting past app store review?

I wonder if the prices can be adjusted after the app is published. So the scammer publishes the app with a reasonable price, gets past review, then ups the price and profits.

Yes, you can apparently do this via App Store Connect.

App Store Review isn't very consistent or thorough.

This is blogspam of https://news.sophos.com/en-us/2019/09/25/fleeceware-apps-ove...

The only thing this user does is submit articles from secalerts.co, and almost all of them are blogspam.

Thanks, we've changed the URL to that from https://secalerts.co/article/android-apps-sold-for-hundreds-....

We can whack this mole, but really we just need a credit law (or convention from VISA/Mastercard) applied in as many countries as possible that says all charges on a credit card need to be pre-approved.

So if you want to take $99/month from my CC I have to approve it, using a PIN, and say how many months I am happy for this to go on for. Basically what Paypal offers to terminate subscriptions should be at the card level for all transactions.

This will stop the whole class of "forget to unsubscribe" type scams.

In the meantime hopefully everyone hit will do a chargeback which would force Google to do something.

> We can whack this mole, but really we just need a credit law (or convention from VISA/Mastercard) applied in as many countries as possible that says all charges on a credit card need to be pre-approved.

That would help, but it wouldn't completely stop the abuse. I recently decided to try out the VPS offerings at [a major cloud provider]. I paid for one month of a VPS with Paypal, quit using it before the end of the month, and didn't pay for another month. Unlike every respectable cloud provider I've ever used, they apparently wanted me to navigate their interface to figure out how to cancel the VPS and do that. Instead they kept it running for another two months (they say), and after one attempt to contact me by email (which I missed), turned my entire account over to collections, with all the mess that entails for me.

So even preventing recurring charges won't necessarily help if the companies move to claiming that you never canceled your subscription and then trying to bill you for it later, or sending your account to collections.

Awful. I had the same experience with Online.net. A prepaid service that was paid, and then I cancelled through the bank, forbidding them from charging me, YET the kept the service running for a month, but I couldn't cancel as they blocked my account for non-payment (impayé). In the end I left the account in this state and stopped caring.

As far as I had understood it, if I don't pay, it SHOULD be suspended and deleted immidiately, NOT kept running and then the provider claiming I owe them for that service.

Yep! Very similar situation in my case. Since Hetzner requires you to give them a name, phone number, address, etc. it's very easy for them to track you down later when they want to pull this scam.

> As far as I had understood it, if I don't pay, it SHOULD be suspended and deleted immidiately, NOT kept running and then the provider claiming I owe them for that service.

With every VPS I've ever used, this is the case. The nice ones will send you a warning before shutting it down a few days later. I'll steer clear of online.net because of your warning.

I had this situation in 2014 with Amex and a very large hosting bill from a server provider (non-cloud, it was a typical dedicated host LLC operation, although fairly reputable). In my case I had even explicitly instructed them to cancel and they did not. I went back and forth with Amex for about six months. The server provider even forged the date on PDFs to make me look wrong. I don’t remember the exact resolution, I might have partially recovered the money. But it was a nightmare.

That sounds awful. I'm sure I'm not the only one who would like to know which cloud provider this happened with.

That was Hetzner.

They are quite loved on HN. Hopefully they'll change their process in response to being outed here :-)

Run for your life. I've used probably 10 VPS services at various points, including some small enough that they're probably run by one person reselling from a dedicated server provider. Some of them have great customer service. Some of the don't.

But I've never, not even once, had someone try to pull a billing scam on me. I will never consider Hetzner for anything again.

Google makes it even harder, as if you wish to delete a credit card, you have to login into a website version of the part of Google Play which manages them; yet, you still need to leave at least one cc number there. I deal with this by using a feature my credit provider offers, which allows users to generate and delete virtual valid CCs arbitrarily.

The deal is that trial apps ate allowed to charge $ after the trial ends.

To avoid it users have to uninstall and tell the developer. Since nobody reads and understand these fine prints, charging after the trial is ok, as it complies with Google rules.

No laundry here...

The fix could be pretty simple: Have the trial API built so that it locks out the app at the end of the trial and presents a pay-to-continue or uninstall option dialog the next time the user tries to use it.

My daughter often wants to download iphone games.

A lot of these games will charge $4.99 per WEEK for access to keep playing without ads, etc.

A lot of pc games cost much much less than that.

And while I am talking about the cost of games https://itch.io/ is a fantastic place for free and cheap and pay what you want games.

Yes, this weekly subscription model for games even to just remove ads has become annoying. Thankfully you can just subscribe to AdGuard Pro for $3/year (yes, it's that cheap) and set it to use AdGuard DNS - this blocks ads in mobile games nicely.

I’ve always thought this would be a money laundering opportunity. Sell an app for an outrageously high price, buy App Store gift cards with dirty cash, and then buy your app from yourself. You could almost certainly get an army of cheap labor to buy your app on their phones if you gave them a gift card worth say 110% of the app’s cost. You’d lose a pretty big chunk to App Store fees and taxes but it’d be clean.

There are a few common scams that directly demand Google Play or iTunes gift cards from the victim. The most depressing one I've heard about is a phone scam where the caller claims to be from the IRS and demands that the victim pay some overdue taxes in the form of gift cards. This is common enough that I've seen notices specifically warning about it on the gift-card displays at drug stores. The fact that this scheme apparently works says a lot about America's civics education.

I disagree about the civic education. Everyone knows the IRS doesn't take gift cards, it's more about taking advantage of people when they have a panic response. You get a call from the government saying you're going to jail if you don't pay them right now, you may panic. If you panic, what are the odds that you're going to get yourself under control before you do something stupid?

I've seen this happen to a very bright coworker of mine, it's all about taking advantage of human fear.

> Everyone knows the IRS doesn't take gift cards

If that were the case then nobody would fall for the scam.

That's true. (And this is tangential anyway.) I do think that a greater familiarity with how the government works could help in that moment of panic, reducing the self-doubt of "I don't think this sounds right, but what if I'm wrong?"

To follow up on the other response to your comment, remember that for these scammers, this is their job, and they do it over and over again, day in and day out. They know what strategies work and what doesn't, and manipulating people to doing something stupid is their whole goal.

They are experts in scamming people, and the people they are calling are not experts in detecting scams.

It is important to encourage people to trust their Spidey sense, most people know something seems off when these calls come in. But we need not trash people for falling for scams.

I've seen people doing this with Turo.

Sorry, but if you're renting out your Chrysler 300C at $550/day and it's booked (not just unavailable) for weeks at a time...

... that's not legitimate. Someone is laundering money, there. The best bit is if you're coordinating it, you don't even lose access to the vehicle, because there's no verification that an exchange of property took place.

That's a pretty clever idea and an easy way to clean $200k a year.

Yeah but what about the other half of the transaction? That person needs to have identity verified and a license in the system. That doesn’t sound like a good starting point to a laundering scheme.

If you're a dealer?

"Sign up for this site. I'll give you $5,000 to put in your bank account. You're going to 'rent' my car, except I won't actually give you my car. In exchange, I'll give you a discount on your drugs for the next six months."

Drug addicts in the throes of withdrawal, or 'savvier'? Absolutely would go for such "deals" like this. And really, it's probably fairly low risk - the worst that is likely to happen is that Turo disables your account.

Does Turo accept gift cards? Not clear how the cash gets turned legit. Thx

I think it would work if the scammer put their car up as the rental and used a fake/stolen identity to overpay for it. As long as the fake buyer doesn't get linked to the scammer's real identity, the proceeds will look legit.

It's 30% for App Store I attended a money laundering course and that was about the going rate for large value sums.

> I attended a money laundering course

Hmmm? Hopefully from an anti-laundering perspective, right?

After the 30% Apple takes, you still have to pay tax.

you mean that launderers are typically taking 30% cut from dirty amount to launder the money?

Their "profit" would probably be much less than that - they have their own overheads for doing the actual laundering.

I wouldn’t surprised if money laundering takes a 50% off your pre-laundered money. It’s a funny world when some people are paying to avoid taxes and some paying to pay taxes!

I think deniability of criminal activity is the main goal, rather than tax evasion.

Laundering money makes you pay taxes, not evade them.

It has been suggested that Amazon has been used for this, too.


What are the counterfeiters doing if not exploiting the certainty that Amazon will provide the absolute least amount of oversight their lawyers can defend some years from now...


Except it'd be fully traceable to you if it was discovered. Not to mention it probably sticks out like a sore thumb analytics wise.

> to you

you mean, to your fake identity??

It's probably still easier (and with less loss) to sell $500 gift cards for $450 on eBay

I've sold Amazon and Best Buy gift cards for more than face value on eBay.


Probably more obvious though if you're moving a ton of gift cards on eBay.

Seems like that'd be a tricky proposition. There are a lot of people who would be happy to buy your $500 gift cards at $450.

But does this scale ? People seeking to launder money reckon in large sums.

I'd agree. should I ever have thought about ways to launder money, it's the ability to scale, not so much the % that's important.

Why even bother with changing the price

Reminds me of the I Am Rich app on iOS: https://en.m.wikipedia.org/wiki/I_Am_Rich

There's a massive difference to the app you link to.

The I Am Rich App was totally upfront about what you get. Namely: You pay 999$ for a red gem (as I recall) on your phone's display. There was nothing sneaky or underhanded about it.

Essentially it was an app for people who wanted to prove that they have money to blow, but coughed from smoking cigars, lighted with 100$ bills.

The idiocy of it was part of the concept, but the app was very upfront about what it does and what it costs.

This is different in that you get a crappy, redundant app, which is "free", but sneaks a very expensive subscription model of which you are not aware, which is not really mentioned (or if, then in very dark patterns) and of which it's very hard to get out.

The first is, arguably, an expensive piece of conceptual art (not on the phone, but on a meta level) the second model is outright fraud.

What's discussed here is very different.

Was just about to link this. Although the OP sounds much more insidious; I Am Rich was pretty up-front about everything.

> they overcharge users for functionality that’s widely available in free or low-cost apps.

The first thing I thought of here was YouTube charging me to play music with my phone locked in my pocket.

Another example that comes to mind.. headphone companies purposefully/artificially downgrading their sound quality on lower end models with cheap foam or something, while still using the same exact hardware as the higher end model.

Which headphone company does this? Genuinely interested, as I am very into portable audio, and haven't heard anything about it.

In a way, good that they charge stupidly high amounts (the article has screenshots with claims of >100gbp/usd). That high, most people would make some noise to get it back. If it had been 10$ or similar, more people would either not notice it, or they would just jot it under the "well, shit, lesson learned" account.

And Google is allowing this.

I fail to see the problem here. There are dozens of these apps offered for free, some the developer decides to charge per month. User just has to find the free ones.

Should Google now tell app developers what to charge? That's ridiculous.


But Google and Apple ought to require clear disclosure of price and conditions. Also, free trials shouldn't transition to paid usage without explicit authorization.

Ok and your first point, but your second point...That's exactly what a free trial is by definition. It's free for a period of days until you are a paying member.

Not really. Payment should require authorization at the time of payment. I mean, what's the point of a free trial if you must commit to paying in order to start the trial?

I do understand that this is a common dark pattern. But common or not, it ought to be illegal. And these bullshit apps are perfect examples of why. So is the New York Times, but that's a different fight.

The correct way to opt out of the trial can sometimes require leaving the Google ecosystem, i.e. you must submit an email, which clearly isn't how Google wants these to run. It's also sometimes done as white on white text, text too small to read on a mobile device, or text that's buried in a a TOS intentionally. These aren't people legitimately attempting to offer a service, they are trying to dupe people.

No, it isn't. A free trial is free for a period and then stops unless you decide you want to become a paying member.

In contrast, this here is signing up for one year with an early cancellation full refund. All the while tricking you into thinking it were a free trial.

Not that ridiculous. Google likely knows better than any one developer how much to charge to maximise revenue, in the same way that Airbnb knows best what homes will rent for. Lots of hosts defer to Airbnb's recommended price.

Of course, Google has an incentive to maximise total Play Store revenue, so their incentives don't line up with any individual developer. But I can definitely imagine a world in which almost everyone just allows Google to manage their pricing.

There is a legitimate reason for that. If you unpublish an app, existing users can't download it. The workaround is to put a high price so nobody will buy new copies.

This isn't about the up-front cost, it's a workaround where users can be unexpectedly charged down the line. Please read the article first.

Is that still true, though?

I think I've seen cases of apps being unpublished for new purchases (even free ones) but still available for downloads of existing users in both Google's and Apple's stores.

I had recently unpublished an app of mine expecting it would still be available for purchasers, didn't work. Had to resort to the outrageous price trick.

That's strange–I wonder why unpublishing didn't work for you. I have seen several apps be taken off the store by various companies but remain on my list of Purchased apps on the App Store. I can still download the apps but not see the entry on the App Store when I tap on the app's name for details.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact