Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two iOS Fitness Apps Were Caught Using Touch ID To Trick Users Into Payments of $120 (threatpost.com)

Posted by BeauHD on from the sneaky-bastards dept.

secwatcher shares a report from Threatpost: Two apps that were posing as fitness-tracking tools were actually using Apple's Touch ID feature to loot money from unassuming iOS victims. The two impacted apps were the "Fitness Balance App" and "Calories Tracker App." Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store. However, according to Reddit users and researchers with ESET, the apps steal money -- almost $120 from each victim -- thanks to a sneaky popup trick involving the Apple Touch ID feature.

According to heated victims who took to Reddit to air their complaints, after a user launches one of the apps, it requests a fingerprint scan prompting users to "view their personalized calorie tracker and diet recommendations." After the users use Touch ID, the app then shows a pop-up confirming a payment of $119.99. The pop-up is only visible for a second, according to users. "However, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," said Lukas Stefanko, malware analyst with ESET security, in a Monday post on the scam.

64 comments

  1. Re:Lol at fatties by Anonymous Coward · · Score: 0

    $119.99 less food they can buy, increased metabolism due to anger... So the app works then.

  2. Unassuming != unsuspecting. by 140Mandak262Jamuna · · Score: 3, Informative

    Come on. Who writes these abstracts? Google Translate?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Unassuming != unsuspecting. by Anonymous Coward · · Score: 0

      I've had enough. What will it take to start reversing international wire transfers?

    2. Re:Unassuming != unsuspecting. by arglebargle_xiv · · Score: 1

      Come on. Who writes these abstracts? Google Translate?

      Come, your answer in broken music; for thy voice is music and thy English broken; therefore, queen of all, Katherine, break thy mind to me in broken English.

  3. Apple's 30% Cut by phalse+phace · · Score: 1, Insightful

    As long as Apple got their 30% cut, they looked the other way.

    1. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0, Informative

      Yep. According to one of the other articles on this, they're not refunding the money either, leaving people to do a charge back and get their Apple accounts banned.

    2. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0

      That is the apple way. Profits above ethics.

    3. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0

      Wouldn't know. Sold all my Apple gear already.

    4. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0

      Of course not. Apple is a multi-billion. You think they're going to chisel their marketing campaign (worth millions) for a few thousand x $30-$40 fraudulent transactions? Even SuperLiar Ken Doll isn't that stupid.

    5. Re:Apple's 30% Cut by Anonymous Coward · · Score: 1

      leaving people to do a charge back and get their Apple accounts banned.

      I have done a couple of charge backs against Apple and my account isn't banned yet. Works just fine. With enough of them they'll eventually remove the fraudulent app.

    6. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0

      For meth.

      #Continue your red state meme

    7. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0

      And yet this user on the Reddit thread said they have a refund pending,

      https://old.reddit.com/r/assho...

    8. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0

      It’s a sin to inject facts into the regular Slashdot Apple bashing.

    9. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0

      Facts: If you chargeback Apple store purchase through your credit card issuer, you owe Apple money. If you owe Apple money, you can’t download app updates or install new apps, even the free ones.

      Satisfied?

    10. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0

      "If you chargeback Apple store purchase through your credit card issuer, you owe Apple money." = Bullshit, even if they say you do. False.

      "If you owe Apple money, you can’t download app updates or install new apps, even the free ones." = Bullshit, but you may have to start a new ID.

      You done being wrong yet or do you have more falsehoods to be corrected on?

    11. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0

      A is for Apple... T is for Tax... Cinnamon toasty Apple Tax. Lots of theft in every byte.. Apple tax from (Tim Cook) part of this nutritious breakfast!

      https://www.youtube.com/watch?v=TpKGw87xKrE

    12. Re: Apple's 30% Cut by Anonymous Coward · · Score: 0

      Meth might actually be more useful - retains its value longer.

    13. Re:Apple's 30% Cut by Anonymous Coward · · Score: 0

      That would be illegal. If you charge back, the company has a chance to dispute the charge back. If they don't, then legally you don't owe them anything. If they do, you have the chance to dispute the dispute. If you don't, you are charged the money. If you do, they then have the option of taking you to court. If they don't, you don't legally owe them any money, if they do, well, you'd better have a good defense, otherwise it's going to cost you a lot more than the original charge back cost you.

  4. worked as designed by Anonymous Coward · · Score: 0

    worked as designed, it's on IOS.
    it worked as designed.
    and the users authorized the payment with their Touch ID.

  5. fitness app? by Anonymous Coward · · Score: 0

    We know creimer is safe!

  6. Something seems off by 93+Escort+Wagon · · Score: 3, Interesting

    If it’s a regular App Store or Apple Pay transaction, the app doesn’t control the request for you to scan your fingerprint - so I don’t see how it can pop up “just for a second”.

    I think there’s some information possibly being withheld here.

    --
    #DeleteChrome
    1. Re:Something seems off by Camembert · · Score: 1

      Yes I wondered as well how it exactly happens.

    2. Re:Something seems off by Anonymous Coward · · Score: 0

      it instructs you to keep the finger on the scanner for 10 seconds. that must be long enough to register the payment with minimal, if any, notification.

      the 'app' may not refund, but apple sure as fuck should. these scams are most definitely violating 'app store' terms.

    3. Re:Something seems off by Anonymous Coward · · Score: 1

      The app tells you to scan your thumb. I thought iOS blocked access to the fingerprint scanner but it clearly provides enough information to know when your thumb is on the home button. The app starts a 10 second countdown once it sees your thumb is on the home button, and around three seconds in starts an Apple Pay transaction. Since your thumb is already on the home button, this will vanish as fast as Touch ID works, which is less than a second, then the payment is made while the countdown continues in the background. If you looked away for the duration of the countdown you might never notice the payment happened.

    4. Re:Something seems off by Darinbob · · Score: 1, Insightful

      All the more reason that you should never give any personal financial data to your phone. It can't charge you if it doesn't know your credit or bank card number.

    5. Re:Something seems off by phalse+phace · · Score: 1

      I thought iOS blocked access to the fingerprint scanner but it clearly provides enough information to know when your thumb is on the home button.

      iOS doesn't block apps from accessing TouchID. That would defeat its purpose.

      Many apps use TouchID for logging in (no more passwords to remember) or to process a transaction (e.g. using Starbucks app and TouchID to reload money to a gift card)

    6. Re:Something seems off by Anonymous Coward · · Score: 1

      All the more reason ...

      ... for every transaction to be confirmed by a password. This is why I'm against auto-pay on Google Wallet and 'always logged-in' on PayPal. Google wallet, at least, accepts my need for security.

    7. Re:Something seems off by _merlin · · Score: 3, Insightful

      Well the solution would be to provide some amount of guard band, like a "Please remove your finger and read this" prompt if you have a finger on the sensor before the message appears.

    8. Re:Something seems off by 93+Escort+Wagon · · Score: 1

      That’s not what I said. The app basically hands the request for a purchase off to iOS, then iOS tells the app whether the verification was successful or not. The app itself has no say in the duration of the window’s appearance - the transaction is managed by iOS.

      --
      #DeleteChrome
    9. Re:Something seems off by Anonymous Coward · · Score: 0

      Maybe the developers found some unexpected way of provoking the pop-up window to dismiss quickly. I was surprised recently by a case when I was recording video with my iPhone and an incoming call instantly ended recording! Sure, it makes sense, but, clearly, there would be cases when that would be a really undesirable result -- as it was in my case, where I really wanted to record a unique event. So, maybe there is some silly way to trick the pop-up window to dismiss, like playing a video in a 1x1-pixel box (with some unexpected chain of decisions made by iOS which dismisses pop-up messages).

    10. Re:Something seems off by tlhIngan · · Score: 4, Insightful

      If itâ(TM)s a regular App Store or Apple Pay transaction, the app doesnâ(TM)t control the request for you to scan your fingerprint - so I donâ(TM)t see how it can pop up âoejust for a secondâ.

      I think thereâ(TM)s some information possibly being withheld here.

      I suspect the following is what happens:

      1) The app has somehow done something to put up a window on top of system notifications. Draws a "Use touch ID to log in" type message.
      2) The app then commands a in-app payment from the user. This pops up a dialog basically asking the user to confirm or deny the payment.
      3) Because of exploiting (1), the app drawn window obscures the message.
      4) iOS interprets the use of Touch ID as confirmation of the payment
      5) Because of something in the background (app store processing - it can hang the UI thread it seems), the app loses control of the top level window it's forcing, iOS draws the confirmation dialog so it appears
      6) When the app gets notification that the user paid, it removes the message as well.

      Step 5 happens, and sometimes when music is playing by the app, the music is paused, which seems to indicate while app store processing is done, either a thread or the entire app is suspended temporarily losing control of whatever it was doing.

      I would suspect somehow the app manages to draw over the App Store dialogs somehow - whether it's through a view bug or a Z-buffering bug or just doing something that somehow causes the window Z order to be incorrect briefly.

      Though I thought usually the dialog first asks for confirmation to which you must say yes or no before you can even authenticate the purchase next, so the app must trick you into tapping a particular part of the screen first...

      Though I wouldn't feel too bad for the people tricked - they can get a refund through Apple.

    11. Re:Something seems off by Anonymous Coward · · Score: 1

      Probably a good idea, like "Processing payment, please remove your finger and touch the sensor when instructed to do so" or similar. Granted, I can't fault Apple here and I'm about as anti-apple as can be. I would have never thought of that on my own.

    12. Re:Something seems off by crunchygranola · · Score: 1

      Yes, the inherent problem with a phone-camera (not a camera-phone). It is primarily a phone, not a camera. You don't want the device to end up like in Spy Kids 3 bit with Machete's multi-function watch that no longer tells time (something had to go). Or... maybe we do...

      --
      Second class citizen of the New Gilded Age
    13. Re:Something seems off by _merlin · · Score: 1

      You must have never worked with safety-critical equipment. This kind of interface design is common in robotics and heavy machinery.

    14. Re:Something seems off by Anonymous Coward · · Score: 0

      It would be trivial for a phone to detect when enough of the screen is being touched. It's not scanning your fingerprint, it just wants you to touch it.

    15. Re: Something seems off by Anonymous Coward · · Score: 0

      Inherent problem?

      None of my Android devices stop recording just because of an incoming phone call. Hell, it barely interrupts whatever I'm doing since it's just a dismissable popup. My Samsung even detects when I'm playing a game and makes it even less visually noticeable (if you turn on that mode)

    16. Re: Something seems off by Anonymous Coward · · Score: 0

      Google play requires a press of a buy button, then you provide authentication.

      Firefox download popup windows delay for 2 seconds to avoid click jacking.

      This isn't an uncommon hack. It is totally Apple's fault

    17. Re:Something seems off by Anonymous Coward · · Score: 0

      The first prompt is a decoy to get you to put your finger on the scanner, then the app triggers the actual payment request which polls the finger print scanner which immediately returns that your authorized finger is on the scanner, so the prompt closes and authorizes the transaction.

    18. Re:Something seems off by Anonymous Coward · · Score: 0

      More likely the app can't hide the authorization prompt, but because the user's finger was on the scanner when the request was initiated the OS begins verifying the finger print immediately after it starts drawing the prompt, and the total time from "start drawing the prompt" to "authorization accepted, close the prompt" is very short.

      This is a similar behavior to spamming the 'enter' key on some slow UI's to seemingly skip intermediate screens.

    19. Re: Something seems off by Anonymous Coward · · Score: 0

      You would think.. until your smartphone silently signs you up too premium SMS subscription after accidentally clicking a banner ad

    20. Re: Something seems off by Anonymous Coward · · Score: 0

      Can't fault Apple? Who the f*&@ is at fault then? Unbelievable

  7. Seems fair by TimMD909 · · Score: 1

    $120 is a pretty good deal for a semester in the school of hard knocks. Compare it a DUI that costs of $9000 (you're already thinking of DBZ, cuz you lost the game), and it's obvious this a better ROI with less risk to others.

    1. Re:Seems fair by Anonymous Coward · · Score: 1

      $120 is a pretty good deal for a semester in the school of hard knocks. Compare it a DUI that costs of $9000 (you're already thinking of DBZ, cuz you lost the game), and it's obvious this a better ROI with less risk to others.

      At that precise point in your sentence I was thinking that you're an alcoholic that believes everyone else is too. I'm not sure I really feel like the loser in this situation, and we haven't even discussed the apparent anime reference.

  8. Re: Lol at fatties by Anonymous Coward · · Score: 1

    This is why I am ok with the Apple App store always taking 30% off the top. You don't see these kinds of scams in the Apple App Store, only on shady internet sites that require you to sideload or jailbreak your phone. Apple needs their thirty percent cut or they couldn't protect people from scams like these. That thirty percent Lets them do a serious analysis of every program being submitted, to look for shady things like this. Stay in the walled garden, it is safe.

    Oh, wait, you said this is on iPhones? Then it is just a rogue actor. Omelet, broken eggs. Not a big deal. Nothing to see here.

  9. More mainstream apps too. by rworne · · Score: 3, Informative

    The iHeartRadio app pulls similar bullshit, just not as scammy.

    Shortly after bringing up the app, and around the time you select starting your feed, a near full-screen ad pops up asking if you want a subscription, with a cancel "X" in the top corner and a "Purchase button" on the bottom. Problem is, the whole ad surface is actually a purchase button unless you tap the small area with the "X". If you mess up and have FaceID or touch the home button, it immediately attempts a transaction.

    --
    I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
    1. Re:More mainstream apps too. by Anonymous Coward · · Score: 0

      Apps pulling that kind of shit should immediately have the developer account perma-banned from the apple store. Yes, another account with different payment details may be then registered, but if apple are any good at that, they'll check the billing address and perma-ban that too (or ask for a grovelling letter of apology)

    2. Re:More mainstream apps too. by ctilsie242 · · Score: 2

      This can be an easy fix on Apple's part. Just like when an app asks for permissions with the camera or accessing contacts, iOS should prompt the user and state that the app is wanting to have access to the fingerprint scanner for payments. Perhaps have a dialog that only allows access for "x" amount of time before iOS requests permissions for the app to use the fingerprint scanner again, and showing the user what things the app might ask for in in-app payments.

  10. I had a heart attack - I KNOW the secrets of life by Anonymous Coward · · Score: 0

    You want to know what your problem is. That apple. You should be eating it, not having it fry your brain.

  11. This is why you don't save your credit card.... by Anonymous Coward · · Score: 0

    Common sense here. Don't save that kinda crap on your phone.

    Just use the damn card in your wallet...

  12. The thing is... by Anonymous Coward · · Score: 0

    Anybody dumb enough that this happened to them should consider it an excellent educational investment. $120 is cheap, and the potential education very valuable. Of course, it's not about what you learn, it's what you DO with what you learn, isn't it?

    1. Re: The thing is... by Anonymous Coward · · Score: 0

      The app author should be doxxed, to give them the opportunity to get an education as well.

  13. Most apps are shit ... by Anonymous Coward · · Score: 0

    Apps started off kinda cool .. small, lightweight, and useful.

    Over the years, apps have become primarily sources of ads, malware, and other shady things.

    The more apps there are in a given category, the more likely most of them are complete garbage which exist to rip off their 'customers'.

    The number of apps I have is pretty low, and I've mostly stopped looking for them. They generally add little value beyond what I could reach with a browser, and I refuse to use a smart phone to use a browser because I don't have the same blocking and privacy tools available to me.

    Whatever, it's a first world problem ... you downloaded a fitness app (didn't your phone come with one?), you set up fingerprint scanning, and you tied that to a credit card ... honestly, this is about what I'd have expected from doing those things.

    Phones seem to want to make things easy and convenient to access your credit cards, the problem is that takes away a lot of the security you get from not doing stupid stuff like that.

    I consider this whole digital pay ecosystem to be a series of security blunders which should combine nicely to a shitstorm of people getting ripped off by stuff like this.

    This is a problem entirely of the user's own creation.

    1. Re:Most apps are shit ... by ctilsie242 · · Score: 1

      Apps went downhill when IAP was introduced into iOS, around the 5.0 mark. Games went from entertaining and interesting to way difficult, forcing one to buy in game currency to get past a hurdle, or wait 8-16 hours. Apps also started doing everything they can to try to upload as much data as possible. For example, why would a flashlight app demand access to the phone, contacts, music library, GPS, text messages, and everything else.

      Now, we are just seeing the next step in this. Apps trying to phone home with as much data as possible are not making money, so we are now seeing them hit IAP. Realistically, the app makers who can pull this won't be punished. At worst, Apple might find a mechanism to stop that, but the people who crafted the scam will end up making money big time.

      Any app can do this. For example, a security app which prompts the user to authenticate to log in can ask for that... then pop up an IAP dialog and make a couple C-notes. This could be done randomly, even perhaps with some AI scanning to find the ideal mark, perhaps teenagers who wouldn't be reporting this to parents for fear their device would be taken away.

  14. Payment by Phone by nukenerd · · Score: 3, Insightful

    With payment by phone, expect plenty more scams like this.

  15. how is touch id secure? by Anonymous Coward · · Score: 0

    people still use this failed technology? they get what they deserved.

  16. Re: Lol at jews by Anonymous Coward · · Score: 0

    Once is enough.

  17. what weren't you thinking? by epine · · Score: 1

    It's a simple cost of doing business for any consumer who wires their bank credentials into the cloud, and then runs random applet downloads in the same sandbox.

    So you put a wall-sized aquarium in your nursery with your newborn twins, and inside the aquarium you stock a giant python or cobra, and then you get yourself a riced-out 1 hp Roomba from Akihabara, just because, and then you download an experimental, indoor auto-mapping package for said Roomba from some applet pop-shop located in a dusty, foreign currency–starved minor-dictatorship whose borders you could barely sketch onto the right continent.

    What could possibly go wrong?

  18. If they have a credit card registered? by slazzy · · Score: 1

    You can't even download a free app without a credit card registered.

    --
    Website Just Down For Me? Find out
    1. Re:If they have a credit card registered? by CanadianMacFan · · Score: 1

      You can register a gift card and download apps with that.

    2. Re:If they have a credit card registered? by Anonymous Coward · · Score: 0

      You can't even download a free app without a credit card registered.

      I remember this. My helpdesk at work has an old iPad for certain troubleshooting which nobody really maintained. Being the opening shift and finding emergencies where you have to download or update to X version means there is litte time to do things right and you end up using personal logins for things. It's a pain to find that my pre-credit-card registration was then invalid until a card was added.

      While I later was given the choice to de-register the card, it is a strike against apple in my eyes. But they're not alone. Kindle Fire tablets demanded an Amazon account for the app store IIRC, and Google does likewise on Android land. Oh, and I've seen a few phones where every. single. app download requires hitting skip on a dialog that wants a Paypal, CC payment backing. Not sure why I always lacked that on personal phones from various makes.

      I digress: given that nothing is ever deleted today, temporarily forcing user to forking over their CC to access free apps should be a crime, because sooner or later the data sitting on cold storage on S3 somewhere WILL get stolen even after I've long assumed my intentions for removal have been honored. On-demand dialogs used to be the norm back in the nineties (remember Ye olde Dial-Up-Networking modem reconnect nag every time spyware wanted to phone home behind your back? or how Wizards would wait for Just-In-Time questions instead of your seeing apps that want to know your life story by way of a pre-signin profile and contact-list slurp), but nowadays you're asked for Wifi config data and Microsoft account passwords before you're even done with the OS setup.

  19. Eat crap and die by Anonymous Coward · · Score: 0

    Fyi app was already removed. Try that in google store. Or a refund