Dissecting fleeceware apps: the million-dollar money-making machine in Android and iOS

Wednesday 30 September 11:30 - 12:00, Red room

Jagadeesh Chandraiah (Sophos)

Do you want to pay $69.99/week or even $199.99/year for a horoscope app, palm reading app or even screen editor? Fleeceware is the term used to describe applications that exist both on Android and iOS, claim to be free, offer free trials for a small number of days and then over-charge, with charges ranging from $30 to $300 for simple applications like QR code readers, screen editors and video recorders.

We have been researching these apps since last year and have discovered hundreds of them, many with an install count as high as 50 million and some of them in the top grossing category in Android and iOS app stores.

Android and iOS app revenues, including all in-app purchases, amount to billions of dollars every year. Fleeceware app authors get a cut of 70%-85% of the total cost, so they could potentially make millions in revenue by using a subscription model. This model is very attractive for those with nefarious intentions to make easy money with a simple app.

Fleeceware apps are not just about offering a free trial and then charging users. The authors of these apps are using interesting techniques to promote and make their apps a success. Fleeceware apps use fake reviews and fake installs to increase the visibility of the app. They also invest in a variety of promotional activities to increase their returns such as running ads for the apps in social media platforms like YouTube and Instagram, app search ads, and by creating their own apps just to promote fleeceware.

To avoid scrutiny by security services, fleeceware apps delay the introduction of the subscription model when the app is first published; the fleeceware module only gets introduced at a later stage after the app has gained popularity and fake ratings. This helps the apps evade security checks and helps convince users of the legitimacy of the apps.

In this presentation, we will:

• Discuss fleeceware apps, demonstrate fleeceware on Android/iOS, and then discuss how such apps evade app store security checks.
• Delve into the shady world of pay-per-fake review and fake install factories and how anyone can turn their app into an overnight success.
• Look into fleeceware promotional campaigns using in-app promotions and social media platforms such as Instagram and YouTube.
• Discuss app subscription revenues, business models and how fleeceware has ended up in top grossing charts.
• Investigate fleeceware developer profiles and who is creating these apps.
• Present user stories from app stores on how vulnerable users are losing hundreds of dollars unknowingly.

 

Jagadeesh Chandraiah Jagadeesh Chandraiah is a senior malware researcher at SophosLabs, specializing in mobile malware analysis. Jagadeesh has been working at SophosLabs for over 10 years. Jagadeesh started working on Windows malware analysis and is currently focusing on mobile malware analysis. Jagadeesh has a Master’s degree in computer systems security from the University of South Wales. Jagadeesh likes to track malware, research and find novel ways to detect and remediate them. Jagadeesh is a frequent contributor to the SophosLabs Uncut blog and has written blog posts about several mobile malware topics. Jagadeesh also regularly presents his research at international security conferences and in the past has presented his research at DeepSec, AVAR, CARO, and Virus Bulletin. Outside of work, Jagadeesh enjoys playing badminton. @jag_chandra

Back to VB2020 Programme page

Other VB2020 papers