Home / iOS / Two iOS fitness apps tricked users into making TouchID payments

Two iOS fitness apps tricked users into making TouchID payments


Apple has removed two malicious iOS apps that tricked users into approving TouchID payments via misleading popups.

Both apps –named the “Fitness Balance app” and “Calories Tracker app”– exhibited the same behavior, according to videos[1, 2] uploaded on Reddit by users who got scammed last week.

They lured users into installing them, and then, right after starting the app for the first time, asked users to press their finger to the TouchID sensor to set up and access their content.

Unbeknownst to users, the two apps were actually initiating payments in the background and using the TouchID scans as approvals for fees of $99.99, $119.99, or €139.99.

If users had a payment card registered in their respective App Store account, the transaction would be accepted and processed immediately.


Image: ESET

The apps weren’t perfectly designed because a popup revealing the transaction’s payment details would quickly flash on the user’s screen before being automatically dismissed.

Users who kept their gaze on their device’s screen were able to spot the dodgy transactions, according to a Reddit thread were users first reported the scam last week.

If suspicious users refused to scan their fingers, the two apps would refuse to start altogether, and show the same finger-scanning screen in a loop until the user either gave in or uninstalled the app.

Both apps appear to have been designed by the same developer, based on their similar behavior, according to Lukas Stefanko, a mobile security researcher for ESET, who analyzed the two apps earlier today.

The researcher also pointed out that despite the apps’ dishonest behavior, both had high user ratings and received favorable reviews.

“Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps,” Stefanko said.

iOS users who fell victim to this scam are advised to contact the Apple App Store staff for a refund. Apple’s App Store refund procedures are available on this support page.

More security coverage:

Source link

About admin

I'm a 50 year old PLC programmer from Burnley, UK. I severed my time as an electrician in the baking industry and soon got involved with the up and coming technology of PLC's. Initially this was all based in the Uk but as the years went by I have gradually worked my way around the globe. At first it was mainly Mitsubishi with a bit of Modicon thrown in but these days the industry leaders seem to be the Allen Bradley range of PLC and HMI’s.

Check Also

WWDC 2020: iOS 14 kills the biggest iPhone annoyance

Advertisements Apple has fixed an iOS annoyance that’s been plaguing me since I started using ...

Leave a Reply

Your email address will not be published. Required fields are marked *