Malicious ‘Fleeceware’ App Downloaded 600M Times

20th December 2021 | Blog

Google has tried to eliminate malicious apps from its Android platform on the Google Play Store, but certain apps slide by Google’s security team, like Fleeceware. Fleeceware is a malicious application that tricks users into paying excessive amounts of money for simple apps with functionality that’s available free elsewhere. These apps have been installed nearly 600 million times on over 100 million devices, according to a Sophos report.

Fleeceware Attacks

Fleeceware is successful on the Google Play Store (rather than the Apple App Store) because it takes advantage of a business model widely used in the ecosystem, allowing users to download and use apps for a short trial period without paying. However, when the trial expires, if the user who installs one of these apps hasn’t both uninstalled the application and informed the app developer that they’re through with the app, the app developer charges the user. This model is similar to “free trial” offers, putting the responsibility of canceling the services on the user.

These apps pose a number of annoyances for those getting “fleeced,” researchers said. Not only do they get charged exorbitant amounts of money with very little reward, “there’s little recourse” if they want a refund after realizing they’ve been charged because Google Play Store policies are “significantly less consumer-friendly” than ones from typical U.S. credit-card companies, they said.

Joker-Ridden Fleeceware Apps

The Android application, Color Message, has been found to house the “Joker” malware. Joker malware is a persistent threat that’s been around since 2017, hiding itself within legitimate-seeming, common application types like games, messengers, photo editors, translators, and wallpapers, many of them aimed at children. But once installed, Joker apps subscribe victims to unwanted, paid premium services controlled by the attackers, a type of billing fraud that researchers categorize as “fleeceware.” Oftentimes the victim doesn’t realize they’re being charged until the phone bill arrives.

In the worst cases, Fleeceware apps (that contain malware) exfiltrate contact lists, device information, and can hide their icons from the home screen. This happens to be the case with the previous ‘Color Message’ attack, where the application appeared to be making connections to Russian servers.

Bypassing Security Checks

Malicious Joker apps are commonly found outside of the official Google Play store, but they’ve continued to skirt Google Play’s protections. One of the ways Joker does this is through lightweight development and constant code changes. The most recent version of the malware also takes advantage of a legitimate developer tool called Flutter to evade both device-based security and app-store protections. Flutter is an open-source app development kit designed by Google that allows developers to craft unique apps for mobile, web, and desktop from a single codebase. The use of Flutter to code mobile applications is a common approach and one that traditional scanners see as harmless.

“Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies,” explained Zimperium researchers in an analysis published in July.

Avoiding Fleeceware

First, if you have an Android and own ‘Color Message’, delete the app immediately and follow the instructions below to cancel your subscription to avoid becoming a victim of fraud. Users can also check for other applications they may be subscribed to, by following these instructions for Google or Apple accounts:

iOS (Apple)

Open Settings
Tap your Name
Tap Subscriptions to view and manage everything
Alternatively, open the App Store,
- Tap your Initials in the upper right corner
- Tap Subscriptions to view and manage everything

Android (Google)

Open the Play Store
Tap the Hamburger Menu Icon in the top right corner
Choose Subscriptions to view and manage your signups

Cybersecurity Recommendations

It’s important to always be sure you’re installing a safe application on your devices. Always check reviews, the country of origin of the application, and the reputation of the developers. Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis:

Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Most of these recommendations are built into CyberHoot. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.