Though technically not malware, they scam unsuspecting users through hidden costs and exorbitant recurring subscription rates.

Apple device users are being targeted by applications that overcharge them through costly subscriptions or unscrupulous in-app purchases.

This kind of app, called “fleeceware” by researchers from Sophos, are available on Apple’s official App Store. The 30 fleeceware apps found there have been downloaded around 3.6 million times, according to publicly available data.

The fleeceware apps include image editors, horoscope/fortune telling/palm reader, QR code/barcode scanner, and face filter apps, with some charging weekly subscriptions of US$9.99 (or US$520 a year).

Sophos first alerted mobile users to fleeceware in September 2019, when it found a number of such apps available for Android phones. In January 2020, the researchers published a further paper detailing the discovery of another 20 such applications, with nearly 600 million alleged installations between them, as reported by Google Play.

Said Jagadeesh Chandraiah, senior security researcher at SophosLabs and the author of fleeceware reports: “The main purpose of the iOS fleeceware apps we found seems to be severely overcharging users. As was the case with the Android apps discovered in 2019, the app developers take advantage of monetization practices widely used by legitimate free apps, but take them one step further.”

For example, in the hands of the fleeceware app developers, short free trials followed by a monthly subscription soon add up to hundreds of dollars a year in charges, and in-app purchases turn out to be essential for good app functionality rather than optional enhancements or extras.

“Fleeceware apps are not officially malicious, but they are unethical, preying on consumer trust with devious techniques designed to make money. They appear to encourage unsuspecting users to install them through aggressive online advertising and what are likely to be fake five star reviews. Fortunately, there are some practical steps mobile users can take to better protect themselves against fleeceware. This includes knowing how to cancel an unwanted subscription and taking a close look at an app before installing it,” concluded Chandraiah.

Advice for mobile phone users

• Only install apps from official and trusted app stores like the Apple App Store and Google Play—malicious or unscrupulous apps are regularly reported to them by security researchers and others.
  
• In spite of the above precaution, always remain vigilant when installing apps. Only install those you are familiar with, and carefully scrutinize those that are new or which you have heard about through in-app advertising.
  
• Know how to cancel subscriptions—just deleting the app from your phone is not enough. The best online directions are on Apple’s support page and Google’s Play Store support page.
  
• Have an effective security solution in place that will alert you to dubious applications before they can do any harm.