Two apps that were posing as fitness-tracking tools were actually using Apple’s Touch ID feature to loot money from unassuming iOS victims.
The two impacted apps were the “Fitness Balance App” and “Calories Tracker App.” Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store.
However, according to Reddit users and researchers with ESET, the apps steal money – almost $120 from each victim – thanks to a sneaky popup trick involving the Apple TouchID feature.
According to heated victims who took to Reddit to air their complaints, after a user launches one of the apps, it requests a fingerprint scan prompting users to “view their personalized calorie tracker and diet recommendations.”
After the users use TouchID, the app then shows a pop-up confirming a payment of $119.99. The pop-up is only visible for a second, according to users.
“However, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams,” said Lukas Stefanko, malware analyst with ESET security, in a Monday post on the scam.
This pop-up is persistent: “If users refuse to scan their finger in ‘Fitness Balance app,’ another pop-up is displayed, prompting them to tap a ‘Continue’ button to be able to use the app. If they comply, the app tries to repeat the dodgy payment procedure,” said Stefanko.
Making the apps even trickier, the Fitness Balance app had multiple 5-star ratings, as well as an average rating of 4.3 stars, said Stefanko. The app had at least 18 mostly positive user reviews.
“Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps,” he said.
When victims tried to reach out to the apps to request a refund, the apps gave a generic response that promised to fix the issues in the upcoming version 1.1.
Stefanko said that both apps have been removed by Apple. The same developer is likely behind both of them, he said.
However, Stefanko speculated that more apps using a similar scam could pop up in the future: “I think there could be more apps, because of its simple implementation of the scam trick,” he told Threatpost.
Apple did not respond to a request for comment from Threatpost.
Apple is known for its strict policies when it comes to verifying apps in the iOS store, however, the company has faced app privacy and security violation issues in the past.
Earlier in September, for instance, Apple removed a top-rated app, called Adware Doctor, from its official Mac App Store after researchers publicly exposed that the app violated Apple’s sandboxing security policies. The company also also took action against a number of different macOS apps that also collected browser history data.
Apps in the Android store have also been blamed for issues – for instance, researchers recently claimed that seven Android apps (as well as one from a company called Kika Tech) stole millions of dollars as part of a “click injection” scheme.
There isn’t any easy way to check for malicious apps, especially because Apple doesn’t allow antivirus tools for their store, Stefanko told Threatpost. However, users for their part can take extra precautions by reading reviews by other users, he said.
“As Apple doesn’t allow security products in its App Store, users need to rely on the security measures implemented by Apple,” he said.