Scammers Have Earned Over $365 Million by Stealing from Unsuspecting App Store Users

There’s been a resurgence of App Store scams in recent months, leading many to question exactly how effective Apple’s policing of the App Store really is, and now new research suggests just how much money scammers are actually raking in from their deceptive subscription apps.

Last month, developer Kosta Eleftheriou highlighted several apps that he had found on the App Store that promised to offer the same features as his app, FlickType, yet these “features” were locked behind expensive subscriptions that actually took users’ money and offered nothing in return. They were completely non-functional apps that baited users into downloading them with fake reviews and ratings, and then tried to trick them into signing up for subscriptions that could easily run into hundreds of dollars per year.

Eleftheriou pointed to one of the most popular of these apps, KeyWatch, which was actually generating $2 million per year through its fake subscriptions. To add insult to injury, the scammer had stolen Eleftheriou’s own marketing materials, including his promo video for FlickType, and used them to promote the scam app instead.

Fleeceware Abounds

Now, researchers at Avast have done some digging and discovered exactly how pervasive the problem truly is.

They’ve identified a total of 134 “fleeceware” applications on the App Store that have a combined total of over half a billion downloads and over $365 million in revenue.

To be clear, this problem isn’t exclusively limited to Apple, as Avast’s research encompassed the Google Play Store as well. Interestingly, however, despite 70 fleeceware apps accounting for roughly the same number of downloads on Android devices, this only generated $38.5 million in revenue on the Google Play Store. Several research reports over the years have shown that Android users are less likely to pay for apps or in-app subscriptions, which is likely the main reason for this disparity.

“Fleeceware” is a term that was coined by British security researchers a few years ago to refer to apps that are designed expressly to “fleece” users by charging excessive monthly subscription fees, usually after a very brief trial period has passed. The intent is to get users to agree to a free trial in the hopes that they’ll forget to cancel it later.

Unlike the outright scam apps that Eleftheriou identified, however, fleeceware apps usually work exactly how they’re designed to. The problem isn’t that they’re non-functional, but rather that they overcharge — by a lot — for whatever functions that they do offer.

This actually makes it much more likely that a user would sign up for a trial, either ignoring or forgetting to cancel before recurring subscription fees begin to kick in. After all, if the app works, the user might very well be enjoying it during the free trial, but whether they want to pay hundreds, or thousands of dollars per year for those features is another matter entirely.

In fact, Avast found that the subscriptions in some of these apps could actually run as high as $3,422 per year.

To make matters worse, these applications generally don’t have any particularly special capabilities that users couldn’t find in many less expensive, or even free apps. They’re merely “conduits for fleeceware scams.”

While Avast doesn’t list any apps by name, it does provide an example of the types of fleeceware apps that are more commonly found:

• Musical instrument apps
• Palm readers
• Image editors
• Camera filters
• Fortune tellers
• QR code readers
• PDF readers
• ‘Slime simulators’
  

While the most expensive app that Avast found charged $66 per week for a subscription, most of them are going for more modest subscriptions ranging from $4 to $12 per week — amounts that are much more likely to fly under the radar on many users’ credit card statements.

In the report, Avast researchers also note that the apps are designed to target younger audiences, using “playful themes and catchy advertisements” on many social networks, while promising “free installation” or “free to download.”

As a result, kids may download the apps and sign up for the features without even realizing, and even if the scammers only get one or two subscription payments before the parents notice the charges, that can be a significant amount of money when it’s multiplied across thousands, or even millions, of users. With over a billion downloads of these apps, it only takes a small percentage of users to get caught in the trap to funnel a lot of money into scammers’ pockets.

What Apple Is Doing About It

Avast notes that it has reported all of them to both Apple and Google for further investigation, and Apple most definitely has policies that prevent sketchy and misleading app subscriptions.

The problem, however, is that many fleeceware apps legitimately follow all of Apple’s rules: they offer the advertised functionality, and they list trials and subscription fees properly.

As a result, Apple has more recently started cracking down on ‘rip-off’ apps, more aggressively enforcing a policy that’s been in the App Store for a while.

While pricing is up to you, we won’t distribute apps and in-app purchase items that are clear rip-offs. We’ll reject expensive apps that try to cheat users with irrationally high prices.

App Store Review Guidelines

While Apple has been hesitant to make judgement calls about how much developers should charge for services, it’s starting to step in and reject apps with what it considers “irrationally high prices,” forcing developers to justify the need to charge so much.

Unfortunately, since Apple pockets a 15-30 percent cut of all App Store purchases, some are starting to question whether it’s really in the company’s best interest to shut down apps that are raking in hundreds of millions of dollars. After all, 30 percent of 400 million is 120 million in Apple’s pockets.

This is the basis of a lawsuit that Eleftheriou has filed against Apple, accusing it of profiting from fraudulent practices, and doing little to police scam apps because it would affect its bottom line.

The other side of this argument, however, is that while $120 million may sound like a lot of money to us normal folks, it’s pocket change for Apple. In fact, it’s little more than a rounding error in the $20 billion that Apple made from the App Store last year alone.

Further, Avast’s data, which comes from analytics firm Sensor Tower, reflects the lifetime revenue for these apps, many of which have been around for at least a few years.

In our opinion, this makes it highly unlikely that Apple would risk the reputation of its App Store for such a paltry sum. It would be like a public official earning $100,000 per year compromising their integrity for a mere 600 bucks.

While we won’t argue that Apple should be doing a lot more about this, it’s also pretty easy to armchair quarterback in this situation, and it’s unfair to suggest that Apple isn’t doing anything at all. Considering how aggressive scammers can be, it’s quite possible that it’s only because of Apple’s strict App Store policies that we aren’t seeing an explosion of scam apps like these.

What You Can Do About It

The good news is that it’s not hard to avoid being trapped by these fleeceware apps if you’re simply a bit diligent.

The first thing to keep in mind is that they can’t take money from you unless you give them permission to actually do so. The catch is that they’ll try to trick you into granting that permission.

Fortunately, one of the many benefits of the App Store is that all purchases go through Apple and therefore have to be approved through a payment system that’s common to every single app. While Apple might be able to do better in making subscription terms more prominent, the details are always listed on this screen.

This includes the length of the trial period, the date that you’ll be charged for the subscription, and the amount and subscription period. Read it carefully, and if any of this doesn’t match your expectations, hit the Cancel button and run away fast.

In fact, Apple has gone so far as adding an extra step to make you confirm you really want to take out a recurring subscription. Once you authenticate your purchase with Face ID, Touch ID, or your password, you’re then alerted with a standard prompt that asks you to confirm the subscription, reminding you that this is not a one-time purchase, but something that will continue until you cancel it.

In fact, you can even check the available in-app subscriptions before you download an app, as Apple — not the developer — publishes a list of in-app purchases and subscriptions that are offered within the app. This is the “menu” of purchases available in the app, and since everything has to go through Apple’s system, a developer can’t charge you for anything that isn’t on the menu.

This is a good check even for legitimate apps, since if the subscription prices shown here are higher than you want to pay, you can save yourself some time and avoid downloading the app in the first place.

Further, even though many of these fleeceware apps are directed at kids, it’s actually easy to keep your kids from spending money without your approval; Apple already provides several ways to do so, from blocking purchases entirely in Screen Time, to enabling “Ask to Buy” in iCloud Family sharing. Following these steps will effectively make sure that nobody under the age of 18 in your family gets duped by any of these apps — assuming of course that you’re also careful about which purchases you approve.

Lastly, even if you’ve been duped by one of these apps, all hope is not lost. Another great thing about the App Store is that since Apple manages all the payments, you can easily cancel your subscription and also ask Apple for a refund. This process is handled entirely by Apple, so there’s no need to deal with the developer at all, and you’ll still get your money back even if you’re dealing with a complete scammer.