Slashdot Mirror
Two iOS Fitness Apps Were Caught Using Touch ID To Trick Users Into Payments of $120 (threatpost.com)
secwatcher shares a report from Threatpost: Two apps that were posing as fitness-tracking tools were actually using Apple's Touch ID feature to loot money from unassuming iOS victims. The two impacted apps were the "Fitness Balance App" and "Calories Tracker App." Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store. However, according to Reddit users and researchers with ESET, the apps steal money -- almost $120 from each victim -- thanks to a sneaky popup trick involving the Apple Touch ID feature.
According to heated victims who took to Reddit to air their complaints, after a user launches one of the apps, it requests a fingerprint scan prompting users to "view their personalized calorie tracker and diet recommendations." After the users use Touch ID, the app then shows a pop-up confirming a payment of $119.99. The pop-up is only visible for a second, according to users. "However, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," said Lukas Stefanko, malware analyst with ESET security, in a Monday post on the scam.
According to heated victims who took to Reddit to air their complaints, after a user launches one of the apps, it requests a fingerprint scan prompting users to "view their personalized calorie tracker and diet recommendations." After the users use Touch ID, the app then shows a pop-up confirming a payment of $119.99. The pop-up is only visible for a second, according to users. "However, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," said Lukas Stefanko, malware analyst with ESET security, in a Monday post on the scam.
Come on. Who writes these abstracts? Google Translate?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Yep. According to one of the other articles on this, they're not refunding the money either, leaving people to do a charge back and get their Apple accounts banned.
The iHeartRadio app pulls similar bullshit, just not as scammy.
Shortly after bringing up the app, and around the time you select starting your feed, a near full-screen ad pops up asking if you want a subscription, with a cancel "X" in the top corner and a "Purchase button" on the bottom. Problem is, the whole ad surface is actually a purchase button unless you tap the small area with the "X". If you mess up and have FaceID or touch the home button, it immediately attempts a transaction.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit