iOS fitness apps were discovered that ask you to provide a fingerprint to continue or access your data, but instead pop up a subscription screen that automatically charges a saved credit card for over $100 USD.
These apps were called "Fitness Balance” and “Calories Tracker" and would tell users that they needed to supply their fingerprint to access a calorie tracker and diet recommendations. When a user supplied their fingerprint and held it down, the app would automatically try and charge a saved credit card or other payment source for $99 to $119 USD.
While iPhone X users would be protected if they enabled "Double Click to Pay", older iPhone users would be charged automatically if they had enough credit or a saved credit card and Touch ID was enabled.
According to reports from Reddit users and from analysis by ESET mobile app security researcher Lukas Stefanko, these apps contained fake reviews that are meant to make the app appear useful and beneficial.
"Despite its malicious nature, the “Fitness Balance app” received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews," Stefanko explained in a post regarding these scams. "Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps."
You can see examples of some of these reviews below.
Users on Reddit who contacted the author received what appeared to be an automated response stating that it was a bug and would be removed in the next version.
These apps have since been removed from the App Store and any affected users can contact Apple for refund by using the http://reportaproblem.apple.com/ URL.
Unfortunately, protecting yourself from these types of attacks are tricky as they looked perfectly legitimate until users started using them or received a charge. To help mitigate these types of scams, iPhone X users can enable "Double Click to Pay", and for all iPhone users, you can disable Touch ID payments by going into Settings -> Touch ID & Passcode and disable "User Touch ID for iTunes & App Store".
To see a demonstration of how this scam worked, you can view the video created by Stefanko below.
Scam iOS apps has been found on Apple App Store tricking users to pay over $100— Lukas Stefanko (@LukasStefanko) December 3, 2018
Apps ask for fingerprint right at the moment when paying pop-up shows, which is accepted by user fingerprint.https://t.co/7WwT6bhsLF pic.twitter.com/BYZvd7p0VD