Multiple apps posing as fitness-tracking tools were caught misusing Apple’s Touch ID feature to steal money from iOS users. The dodgy payment mechanism used by the apps is swift and unexpected, activated while victims are scanning their fingerprint seemingly for fitness-tracking purposes, says ESET Southern Africa.
There are many apps that promise to assist users on the way to a healthier lifestyle. The apps until recently available in the Apple App Store under the names “Fitness Balance app” and “Calories Tracker app” might have seemed to do just that – they could calculate the BMI, track the daily calorie intake, or remind users to drink more water. However, these services came with an unexpectedly hefty price tag, according to Reddit users.
After a user fires up any of the abovementioned apps for the first time, the apps request a fingerprint scan to “view their personalized calorie tracker and diet recommendations” (Figure 1). Only moments after the user complies with the request and places his/her finger on the fingerprint scanner, the apps display a popup showing a dodgy payment amounting to 99.99, 119.99 USD or 139.99 EUR (Figure 2).
This popup is only visible for about a second, however, if the user has a credit or debit card directly connected to his/her Apple account, the transaction is considered verified and money is wired to the operator behind these scams.
Based on the user interface and functionality, both apps are most likely created by the same developer. Users have also posted videos of “Fitness Balance app” and “Calories Tracker app” on Reddit.
Figure 1 – Scam apps in Apple’s App Store require users to scan their fingers for fitness tracking (Image source: Reddit)
Figure 2 – Dodgy payment popping up in “Fitness Balance app” and “Calories Tracker app” (Image source: Reddit)
If users refuse to scan their finger in “Fitness Balance app”, another popup is displayed, prompting them to tap a “Continue” button to be able to use the app. If they comply, the app tries the repeat the dodgy payment procedure again.
Despite its malicious nature, the “Fitness Balance app” received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews. Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps.
Victims already reported both of these apps to Apple, which led to their removal from the market. Users even tried to directly contact the developer of “Fitness Balance app”, but only received a generic response promising to fix the reported “issues” in the upcoming version 1.1
What can users do to avoid similar threats?
As Apple doesn’t allow security products in its App Store, users need to rely on the security measures implemented by Apple.
On top of that, ESET advises users to always read reviews by other users. As positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.
iPhone X users can also activate an additional feature called “Double Click to Pay”, which requires them to double-click the side button (Figure 4) to verify a payment.
Those who already fell victim to this scam can also try to claim a refund from the Apple App Store