Bogus fitness apps leverage biometrics to steal money from iOS users
Multiple apps recently banned from the Apple App Store stole money from iOS users by activating a payment mechanism while they scan their fingerprints to track their fitness, Slovak cybersecurity company ESET’s publication WeLiveSecurity reports.
The “Fitness Balance” and “Calories Tracker” apps offered BMI calculations, daily calorie intake tracking, and healthy activity reminders, but Reddit users claim that when used for the first time, they request a Touch ID scan to identify the user. When the user activates the fingerprint scanner, the app briefly displays a pop-up showing a payment of US$99.99 or $119.99 or €139.99. If a credit or debit account is on file in the user’s Apple account, the transaction is automatically completed.
If the user does not perform a fingerprint scan, a pop-up prompts she or he to “continue” and then repeats the scam attempt. WeLiveSecurity reports that “Fitness Balance” received at least 18 mostly positive reviews, including several 5-star ratings, and had an average score of 4.3 stars, and notes that the use of fake reviews by scammers is well-known.
The report authors speculate, based on similarities in interface and functionality, that the apps have the same developer.
iPhone X users can activate a feature which requires them to double-click the side button to confirm a payment.
Apple has been steadily expanding its integration of Face ID as the main biometric feature in its mobile devices.