App Subscription Scams: How They Evade Store Controls

What Happened?

The U.S. Federal Trade Commission (FTC) filed a lawsuit on March 12, 2025, against a network of companies operating deceptive subscription apps on Apple's App Store and Google Play. According to the complaint, the operators, identified as Vungle, Tapjoy, and other related entities, used at least 12 shell companies and changed corporate names each time they accumulated complaints, remaining active despite platforms' attempts to expel them. The scheme, operating since at least 2018, generated estimated revenues of over $100 million through unauthorized charges to users, according to the FTC. Apps like 'Lucky Charms' and 'Jewel Crush' offered free trials that converted into subscriptions without explicit consent, charging between $9.99 and $99.99 per month. The scammers exploited the complexity of the mobile payment ecosystem, using payment processors that did not adequately verify their clients and designing interfaces that hid subscription terms in fine print or through confusing pop-ups.

Why Is This Important?

This case demonstrates that app store review systems are insufficient to detect sophisticated scams. Unlike earlier simpler scams, such as fake apps in 2020 that mimicked legitimate services, this network used advanced evasion techniques: they changed corporate names every 3-6 months, created new developer accounts with fake documents, and rotated among different payment processors to avoid detection. According to FTC data, over 2 million U.S. consumers were affected, with total losses exceeding $150 million since 2018. The case also reveals flaws in platform oversight: Apple and Google approved apps that later turned out to be fraudulent, despite both companies claiming to review every app. This incident adds to others like the FTC's 2022 lawsuit against subscription app developer 'LevelUp', which resulted in a $10 million fine. However, the scale and sophistication of this new case are greater, suggesting the problem is systemic.

What Will Be the Consequences?

The FTC seeks financial penalties that could reach $500 million under the FTC Act, along with injunctions barring those involved from operating in the app market. Apple and Google, already criticized for their role in enabling these scams, are expected to strengthen developer verification and app monitoring mechanisms. For example, they could implement biometric identity verification for developers or use artificial intelligence to detect fraudulent behavior patterns. In the long term, regulatory changes could be implemented, such as the proposed 'Subscription Transparency Act' introduced in the U.S. Congress in January 2025, which would require app stores to verify developer legitimacy and payment processors to conduct periodic audits. In parallel, the FTC has launched a broader investigation into subscription practices in the industry, which could result in additional fines for other companies. For consumers, the immediate consequence is the need to be more vigilant: according to an FTC survey, 68% of affected users did not notice the charges until several months later.

What Should Readers Know?

Users should regularly review their active subscriptions in their device settings, both on iOS (Settings > [name] > Subscriptions) and Android (Google Play > Subscriptions). Be wary of apps that request payment information without a clear free trial or that have suspiciously positive reviews. Read the terms before accepting, paying special attention to auto-renewal clauses. It is also advisable to use virtual payment methods, such as prepaid cards or services like Apple Pay with spending limits, to limit potential damage. If you detect unauthorized charges, report them immediately to your bank, the FTC (reportfraud.ftc.gov), and the relevant app store. This case is a reminder that even on seemingly secure platforms, scammers find ways to exploit system vulnerabilities. The combination of shell companies, multiple identities, and lax payment processors creates an environment where responsibility largely falls on the end user, underscoring the need for stricter regulation and greater collaboration between platforms and authorities.