Multiple apps posing as fitness-tracking tools were caught misusing Apple’s Touch ID feature to steal money from iOS users. The dodgy payment mechanism used by the apps is activated while victims are scanning their fingerprint, seemingly for fitness-tracking purposes.
There are many apps that promise to assist users on the way to a healthier lifestyle. The bogus apps were, until recently, available in the Apple App Store. The apps were called “Fitness Balance app” and “Calories Tracker app”, and at first glance appeared to put users on the road to fitness – they could calculate the BMI, track daily calorie intake, or remind users to drink more water. These services, however, came with an unexpectedly hefty price tag, according to Reddit users.
After a user fires up any of the abovementioned apps for the first time, the apps request a fingerprint scan to “view their personalized calorie tracker and diet recommendations” (Figure 1). Only moments after the user complies with the request and places a finger on the fingerprint scanner, the apps then display a pop-up showing a dodgy payment amounting to 99.99, 119.99 USD or 139.99 EUR (Figure 2).
This pop-up is only visible for about a second, however, if the user has a credit or debit card directly connected to an Apple account, the transaction is considered verified and money is wired to the operator behind these scams.
Based on the user interface and functionality, both apps are most likely created by the same developer. Users have also posted videos of “Fitness Balance app” and “Calories Tracker app” on Reddit.
If users refuse to scan their finger in “Fitness Balance app”, another pop-up is displayed, prompting to tap a “Continue” button to be able to use the app. If they comply, the app tries to repeat the dodgy payment procedure.
Despite its malicious nature, the “Fitness Balance app” received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews. Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps.
Victims already reported both of these apps to Apple, which led to their removal from the market. Users even have tried to contact the developer of “Fitness Balance app” directly, but only received a generic response promising to fix the reported “issues” in the upcoming version 1.1 (Figure 3).
What can users do to avoid similar threats?
As Apple doesn’t allow security products in its App Store, users need to rely on the security measures implemented by Apple.
On top of that, ESET advises users to always read reviews by other users. As positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.
iPhone X users are protected from these scams, as this model doesn't have the TouchID feature and instead uses “Double Click to Pay”, which requires the user to double-click the side button (Figure 4) to verify a payment.
Those who already fell victim to this scam can also try to claim a refund from the Apple App Store.