January 7, 2021 By David Bisson 2 min read

Digital attackers used Minecraft-themed fleeceware apps in the Google Play Store to prey on millions of Android users.

Surfing the Fleeceware Wave

Avast reported seven fleeceware apps to Google Play in mid-November. Most of those apps claimed to offer Minecraft-related skins, maps and/or mods for the popular game. Others offered skins for other games or advertised themes and wallpapers for Android devices.

Using those disguises, all of the apps managed to attract more than 100,000 people before Avast discovered them. Five of them boasted more than one million downloads. All of the apps Avast discovered were still up on Google’s Play Store at the time of this blog.

What Is Fleeceware?

A fleeceware app isn’t traditional Android malware in the sense that it doesn’t contain malicious code. Instead, the threat comes from excessive subscription fees that it might not clearly advertise to mobile users. Fleeceware entices a victim into downloading an app that interests them. Then, the developer counts on the user forgetting about the program and/or failing to notice the actual subscription fee.

These developers target younger users who might not pay attention to the subscription’s details. The developer fleeces the victim by tricking them into paying money for something they might not want, they might not know they have or they might have gotten elsewhere free of charge.

Fleeceware on Google Play

This wasn’t the first time fleeceware found its way into Google’s Play Store. In January 2020, SophosLabs revealed it had detected more than 20 fleeceware apps hiding out in the Android marketplace. Those apps gained a collective total of over 600 million installations. One of those apps charged users $3,639.48‬ annually, or $69.99 per week, for displaying daily horoscopes.

A few months later, Google updated its policies to ensure that users understood the full price of an app subscription, when free trials and introductory offers end and how to manage their app subscriptions.

That didn’t stop some people from attempting to get around Google’s policies. In August 2020, Google removed some fleeceware apps for failing to include a dismiss button and for displaying subscription information in small, light fonts.

Mobile Security Best Practices

Organizations can help defend their users against fleeceware apps, such as the ones described above by using Mobile Device Management (MDM) to limit the functionality of apps installed on corporately owned mobile devices. They can also use ongoing security awareness training to reinforce compliance with their security policies. Include a list of allowed mobile apps and app marketplaces that employees can use on their mobile devices.

More from Uncategorized

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today