Avast experts found three VPN applications on the App Store that were actually fleeceware. Let me remind you that this is a relatively new kind of malware: this term was coined by Sophos at the end of last year and then applied exclusively to Android applications.
Fleeceware applications use legal loopholes related to the trial period mechanism. So, if after the end of the free period the user simply deletes such an application without canceling the subscription, money for its use will continue to be debited from the account. For example, Android applications discovered last year were installed more than 600,000,000 times, ignored the removal and end of the trial period, and continued to charge users a lot of money (from $ 100 to $ 240 per year) for the simplest tools, such as QR scanners codes and calculators.
Now, Avast experts found three such applications in the AppStore –– Beetle VPN, Buckler VPN and Hat VPN Pro. According to Sensor Tower, a market research and mobile analytics company, these apps have been downloaded more than 420,000, 271,000, and 96,000 times, respectively, between April 2019 and May 2020.
According to the description, the applications provide VPN services for $ 9.99 per week after the end of the free three-day trial period. All applications have high ratings (from 4.6 to 4.8) and many rave reviews. However, all these reviews are written in the same way, which, according to Avast experts, may indicate a fake: there are several negative reviews warning about fraud between enthusiastic reviews.
Researchers installed all three applications on test devices and successfully paid for each subscription. However, when they tried to use them for their intended purpose and connect the VPN, applications again offered only subscription options. After trying to purchase subscriptions again, the researchers were notified that they already have a subscription. But it was not possible to establish a VPN connection using these applications.
“Applications like fleeceware fall into the gray area: they are not malicious in themselves, they simply charge absurd amounts of money from users for a weekly, monthly or annual subscription to functions, which should cost much less. For example, in this case, VPNs sell for $ 9.99 a week, ”says Nikolaos Hrisaidos, Head of Threat and Security Research for Avast Mobile Devices. –– These applications do not behave maliciously, therefore they bypass the verification processes existing in official app stores that users trust. Many people turn to VPN applications to protect their data when working remotely. This shows how important it is for users to research VPN applications before installing them, including information about developers, their reputation in other products, user reviews and information about whether they have other applications for security and privacy. ”
Researchers note that fleeceware can be found in any category of applications. Reviews for such applications usually look fake, as some users leave reviews with the words "Fascinating" or "I love", and real reviews show that the application actually does not work or charges users unreasonably large amounts of money. Fleeceware usually offers a free trial for three to seven days, but may require the user to enter their billing information before the start of the trial period in order to automatically debit unnecessary amounts from the victim’s account after the trial period ends.
I note that in April of this year, Sophos experts already discovered a number of fleeceware applications in the Apple App Store. Then there were 32 of them, and they charged users up to $ 30 per month ($ 9 per week; from $ 360 to $ 468 per year). At that time, Sophos researchers suggested that Apple was likely to allow these applications to continue to remain in their store, as the company charges a commission on all purchases and is unlikely to struggle with fleeceware.
Unfortunately, the broken VPN applications discovered by Avast are still available on the AppStore, and experts urge users to remain vigilant.