Two iOS Fitness Apps Were Caught Using Touch ID To Trick Users Into Payments of $120

secwatcher shares a report from Threatpost: Two apps that were posing as fitness-tracking tools were actually using Apple's Touch ID feature to loot money from unassuming iOS victims. The two impacted apps were the "Fitness Balance App" and "Calories Tracker App." Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store. However, according to Reddit users and researchers with ESET, the apps steal money -- almost $120 from each victim -- thanks to a sneaky popup trick involving the Apple Touch ID feature.

According to heated victims who took to Reddit to air their complaints, after a user launches one of the apps, it requests a fingerprint scan prompting users to "view their personalized calorie tracker and diet recommendations." After the users use Touch ID, the app then shows a pop-up confirming a payment of $119.99. The pop-up is only visible for a second, according to users. "However, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," said Lukas Stefanko, malware analyst with ESET security, in a Monday post on the scam.

Apple's 30% Cut

[phalse+phace]

As long as Apple got their 30% cut, they looked the other way.

Re:Something seems off

[Darinbob]

All the more reason that you should never give any personal financial data to your phone. It can't charge you if it doesn't know your credit or bank card number.

Re:Something seems off

[_merlin]

Well the solution would be to provide some amount of guard band, like a "Please remove your finger and read this" prompt if you have a finger on the sensor before the message appears.

Re:Something seems off

[tlhIngan]

If itâ(TM)s a regular App Store or Apple Pay transaction, the app doesnâ(TM)t control the request for you to scan your fingerprint - so I donâ(TM)t see how it can pop up âoejust for a secondâ.

I think thereâ(TM)s some information possibly being withheld here.

I suspect the following is what happens:

1) The app has somehow done something to put up a window on top of system notifications. Draws a "Use touch ID to log in" type message.
2) The app then commands a in-app payment from the user. This pops up a dialog basically asking the user to confirm or deny the payment.
3) Because of exploiting (1), the app drawn window obscures the message.
4) iOS interprets the use of Touch ID as confirmation of the payment
5) Because of something in the background (app store processing - it can hang the UI thread it seems), the app loses control of the top level window it's forcing, iOS draws the confirmation dialog so it appears
6) When the app gets notification that the user paid, it removes the message as well.

Step 5 happens, and sometimes when music is playing by the app, the music is paused, which seems to indicate while app store processing is done, either a thread or the entire app is suspended temporarily losing control of whatever it was doing.

I would suspect somehow the app manages to draw over the App Store dialogs somehow - whether it's through a view bug or a Z-buffering bug or just doing something that somehow causes the window Z order to be incorrect briefly.

Though I thought usually the dialog first asks for confirmation to which you must say yes or no before you can even authenticate the purchase next, so the app must trick you into tapping a particular part of the screen first...

Though I wouldn't feel too bad for the people tricked - they can get a refund through Apple.

Payment by Phone

[nukenerd]

With payment by phone, expect plenty more scams like this.