Fingerprint

iOS fitness apps were discovered that ask you to provide a fingerprint to continue or access your data, but instead pop up a subscription screen that automatically charges a saved credit card for over $100 USD.

These apps were called "Fitness Balance” and “Calories Tracker" and would tell users that they needed to supply their fingerprint to access a calorie tracker and diet recommendations. When a user supplied their fingerprint and held it down, the app would automatically try and charge a saved credit card or other payment source for  $99 to $119 USD. 

Fitness Balance Scam
Fitness Balance Scam

While iPhone X users would be protected if they enabled "Double Click to Pay", older iPhone users would be charged automatically if they had enough credit or a saved credit card and Touch ID was enabled.

According to reports from Reddit users and from analysis by ESET mobile app security researcher Lukas Stefanko, these apps contained fake reviews that are meant to make the app appear useful and beneficial.

"Despite its malicious nature, the “Fitness Balance app” received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews," Stefanko explained in a post regarding these scams. "Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps."

You can see examples of some of these reviews below.

Fake Reviews
Fake Reviews

 

Users on Reddit who contacted the author received what appeared to be an automated response stating that it was a bug and would be removed in the next version.

Automated response from developer
Automated response from developer

These apps have since been removed from the App Store and any affected users can contact Apple for refund by using the http://reportaproblem.apple.com/ URL.

Unfortunately, protecting yourself from these types of attacks are tricky as they looked perfectly legitimate until users started using them or received a charge. To help mitigate these types of scams, iPhone X users can enable "Double Click to Pay", and for all iPhone users, you can disable Touch ID payments by going into Settings -> Touch ID & Passcode and disable "User Touch ID for iTunes & App Store".

To see a demonstration of how this scam worked, you can view the video created by Stefanko below.

Related Articles:

Apple Fixes Passcode Bypass, RCE Vulnerabilities, and More in Today's Updates.

Holding Down Any iOS Keyboard Button Turns It Into a Mouse

Method to View Contact Info on a Locked iOS 12.1 Device Disclosed

Apple Fixes Creepy FaceTime Vulnerability, Crash Bug in macOS, and More

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads