Security experts from Sophos discovered 25 Android apps on the official Google Play that were involved in financial fraud, 600 million affected.

Security researchers from Sophos discovered a set of so-called fleeceware apps that have been installed by more than 600 million Android users.

Fleeceware apps are malicious applications uploaded to the official Google Play Store that were involved in fraudulent activities, these apps offer a short free trial period and if users don’t cancel the “subscription” they charge an excessive amount of money to the Android users.

“The total number of installations of these apps, as reported on Google’s own Play pages, is high: nearly 600 million in total, across fewer than 25 apps; A few of the apps on the store appear to have been installed on 100 million+ devices, which would rival some of the top, legitimate app publishers on Google Play.” reads the analysis published by Sophos.

“We have good reason to believe that the install count may have, in some cases, been manipulated. But some of the apps, including a popular keyboard app that allegedly transmits the full text of whatever its users type back to China, may legitimately have that many downloads.”

Experts warn of the business model behind the Fleeceware apps that can pose significant risks to the Android users,

In September Sophos published a first report that was warning of this phenomenon, the company discovered a first set of 24 Android apps that were charging huge fees (between $100 and $240 per year) for several generic apps (i.e. QR/barcode readers).

Now Sophos discovered a new set of Android “ fleeceware ” apps that attempt to monetize with this fraudulent behavior. have continued to abuse the app trial mechanism to impose charges to users after they uninstalled an app.

The fleeceware apps have a high install count, some of them have tens millions of installs, a circumstance that suggests that threat actors behind these apps may have used third-party pay-per-install services to increase the number of installed apps

“Some of these apps are very unprofessional looking. Based on past experience, it may have been the case that these app developers could have used a paid service to bloat their install counts and forge a large number of four- and five-star reviews.” continues the report. “You can identify some of these falsified user review clusters if you scrutinize the recent 5 star reviews; one-to-three word, five star reviews have a propensity to be “sockpuppet” reviews.”

Sophos has published a list of the apps classified as fleeceware.

Pierluigi Paganini

(SecurityAffairs – fleeceware apps, fraud)