Apple’s reputation for watertight security is coming under scrutiny after apps posing as fitness-tracking tools were caught using the Touch ID fingerprint scanner to steal money from iOS users.
According to ESET researchers, the apps’ dodgy payment mechanism is activated when victims scan their fingerprint for fitness-tracking purposes.
Available in the Apple App store until recently, the bogus apps – “Fitness Balance app” and “Calories Tracker app” – appeared in videos posted by Reddit users. It is thought the apps were created by the same developer due to similarities in the user interface and functionality.
How did the apps trick users?
The malicious nature of the apps would not have been obvious. The Fitness Balance app had received an average of 4.3 stars and had 18 positive reviews – which were probably fake given that this is a known technique used by scammers.
The scam starts when a user opens the app: it will request a fingerprint scan to allow the user to view personalized calorie tracker and diet recommendations. But once the user places their finger on the scanner, a pop-up appears showing a dodgy payment of $119.99, which is then verified by the victim’s Apple account and wired direct to the scammer.
Victims reported the apps to Apple, which to its credit, removed them quickly from the App Store. When some users tried to directly contact the developer of the Fitness Balance app, they received a response promising to fix the reported “issues” in the upcoming version.
How to ensure the apps you download from Apple’s App Store are safe
Apps on Apple’s App Store follow strict guidelines and are tested by the firm before being published. At the same time, App Store apps are sandboxed in order to make them more secure. However, users have to rely on Apple’s own measures, because no security products are available in the App Store.
There is no need to panic: in general, the App Store is known to be fairly secure. However, it is not immune to issues. In 2015, Chinese security firm Qihoo360 Technology claimed to have uncovered a total of 344 apps affected by a malicious program called XcodeGhost. Recently, privacy violating apps were discovered by security researchers.
ESET advises users to always read reviews by others. Its blog says: “As positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.”
It also advises iPhone X users to activate an additional feature called “Double Click to Pay”, which requires them to double-click the side button to verify a payment.