Security researchers at Avast have discovered and reported three iOS VPN apps that were attempting to scam users into buying expensive subscriptions that charged them once a week.
Virtual private networks, or VPNs, are apps that route internet traffic through a "tunnel," often for security and privacy purposes. Security experts have long cautioned users from downloading untrusted VPNs, however, as malicious variants can in some cases glean sensitive information without a user's knowledge.
The three apps that Avast researchers discovered were high-rated VPN apps that "overcharge users, do not provide the services they promote and appear to be 'fleeceware.'"
"Fleeceware apps fall into a gray area, because they are not malicious per se, they simply charge users absurd amounts of money for weekly, monthly or yearly subscriptions for features that should be offered at much lower costs," said Nikolaos Chrysaidos, Avast's head of Mobile Threats and Security.
Researchers found that the three apps charge $9.99 a week for a subscription after a free three-day trial. When they purchased a subscription and attempted to use the VPNs, they only found additional prompts to buy access. Because the researchers already had an existing subscription, the apps showed an error message alerting them of that fact. They were thus "unable to establish a VPN connection" using them.
The three apps are Buckler VPN, Hat VPN and Beetle VPN. All three are still available on the iOS App Store and have ratings ranging from 4.6 to 4.8 stars. Avast notes that the apps don't contain malicious components, so they were able to circumvent Apple's App Store guidelines.
Avast also notes that they found evidence that the app's high-rating reviews were fake. Most of them were similarly written, and peppered in between them were comments warning of scammy functionality. The apps' privacy policies were also written with "very similar language and structure."
The security company recommends users pay close attention to what types of charges can be expected after any app free trial ends, and to closely monitor credit card charges to ensure they aren't being overcharged. Avast says it reported all three apps to Apple.
"With many people turning to VPN apps to protect their data while working remotely, this illustrates how important it is for users to research VPN apps before installing them, including who is behind the product, their track record with other products and user reviews, and experience in offering security and privacy apps," Chrysaidos said.