​Two iOS fitness apps found stealing money from users

• The apps leverage a flaw in Apple’s Touch ID feature and steal as much as $120 from each victim.
• To evade suspicion, these apps come with an average rating of 4.3 stars and have received at least 18 positive reviews.

Malicious iOS apps discovered

Two iOS apps that pose as fitness-tracking tools have been found stealing money from iPhone users. These two malicious apps are tracked as the ‘Fitness Balance App’ and ‘Calories Tracker App’ and are created by one author. The dodgy payment system is initiated once the victims scan their fingerprint using Apple’s Touch ID feature.

Modus Operandi and capabilities of apps

According to Reddit users and researchers from ESET, the apps leverage a flaw in Apple’s Touch ID feature and steal as much as $120 from each victim. After a user launches one of these apps, it requests a fingerprint scan prompting the user to ‘view their personalized calorie tracker and diet recommendations.’

Once the user scans his fingerprint using TouchID, the app shows a pop-up confirming a payment amounting to $99.99, $119.99 or €139.99.

Commenting further on the payment mode, Lukas Stefano, a malware analyst at ESET security said, “, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams.”

To evade suspicion, these apps come with an average rating of 4.3 stars and have received at least 18 positive reviews.

“Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps,” said Lukas.

No refunds after launching the apps

iOS users who fell victim to the scam reported the matter to the Apple App Store staff, following which the malicious apps were removed. Users even tried to contact the developers of ‘Fitness Balance app’ for the refund but instead received a generic response. The message said that ‘reporting issues will be fixed in the upcoming version 1.1.

Conclusion

Stefanko speculates that there could be more apps using a similar technique to steal both personal and financial information. Unfortunately protecting yourself from these type of scams are tricky as the scammers disguise the malicious apps to look legitimate. However, Stefanko says that iPhone X users can enable ‘Double Click to Pay’ feature - for verifying the payment - to mitigate such scams. In addition, users must cross-check the reviews of unknown apps before installing them.