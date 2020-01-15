Sophos security researchers say they have discovered a new set of “fleeceware” apps that appear to have been downloaded and installed by over 600 million Android users.

The term fleeceware is a recent addition to cyber security jargon. It was invented by British cyber security company Sophos last September after an investigation that discovered a new type of financial fraud in the official Google Play Store.

It refers to apps that abuse the ability for Android apps to run trial periods before a payment is charged to the user’s account.

By default, all users who sign up for an Android app trial period must manually cancel the trial period to avoid being charged. However, most users simply delete an app if they don’t like it.

The vast majority of app developers interpret this promotion – a user who removes his app – as a trial period cancellation and do not charge any fees.

But last year, Sophos discovered that some Android app developers did not cancel an app’s trial period after the app was removed and did not receive a specific request from the user.

Sophos said it initially discovered 24 Android apps that charged obscene costs (between $ 100 and $ 240 a year) for the simplest and simplest apps, such as QR / barcode readers and calculators.

Sophos researchers called these apps ‘fleeceware’.

In a new report published yesterday, Sophos said it has discovered another set of Android ‘fleeceware’ apps that have continued to abuse the app testing mechanism to charge users for costs after they have removed an app.

These apps are installed by more than 600 million users. The number seems high, but Sophos mobile malware analyst Jagadeesh Chandraiah said he suspects the apps may have used third-party pay-per-install services to increase the number of installations and then bought fake five-star reviews to rank in the Play Store improve and attract a large number of users.

It is highly likely that not all users who have installed these apps have signed up for a trial period, but those who did may want to check their Play Store payment history for any costs of previous, now uninstalled apps.

The table below contains the names and other indicators for the 25 Android apps that Sophos says are engaged in fleeceware behavior. One of the apps – the GO Keyboard Lite keyboard app – has a history of shadow behavior. In 2017, this app was caught sending back the text that users were typing on their devices to servers in China.

Image: Sophos