Two iOS Fitness Apps Were Caught Using Touch ID To Trick Users Into Payments of $120

secwatcher shares a report from Threatpost: Two apps that were posing as fitness-tracking tools were actually using Apple's Touch ID feature to loot money from unassuming iOS victims. The two impacted apps were the "Fitness Balance App" and "Calories Tracker App." Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store. However, according to Reddit users and researchers with ESET, the apps steal money -- almost $120 from each victim -- thanks to a sneaky popup trick involving the Apple Touch ID feature.

According to heated victims who took to Reddit to air their complaints, after a user launches one of the apps, it requests a fingerprint scan prompting users to "view their personalized calorie tracker and diet recommendations." After the users use Touch ID, the app then shows a pop-up confirming a payment of $119.99. The pop-up is only visible for a second, according to users. "However, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," said Lukas Stefanko, malware analyst with ESET security, in a Monday post on the scam.

Unassuming != unsuspecting.

[140Mandak262Jamuna]

Come on. Who writes these abstracts? Google Translate?

Re:Unassuming != unsuspecting.

[arglebargle_xiv]

Come on. Who writes these abstracts? Google Translate?

Come, your answer in broken music; for thy voice is music and thy English broken; therefore, queen of all, Katherine, break thy mind to me in broken English.

Apple's 30% Cut

[phalse+phace]

As long as Apple got their 30% cut, they looked the other way.

Re:Apple's 30% Cut

leaving people to do a charge back and get their Apple accounts banned.

I have done a couple of charge backs against Apple and my account isn't banned yet. Works just fine. With enough of them they'll eventually remove the fraudulent app.

Something seems off

[93+Escort+Wagon]

If it’s a regular App Store or Apple Pay transaction, the app doesn’t control the request for you to scan your fingerprint - so I don’t see how it can pop up “just for a second”.

I think there’s some information possibly being withheld here.

Re:Something seems off

[Camembert]

Yes I wondered as well how it exactly happens.

Re:Something seems off

The app tells you to scan your thumb. I thought iOS blocked access to the fingerprint scanner but it clearly provides enough information to know when your thumb is on the home button. The app starts a 10 second countdown once it sees your thumb is on the home button, and around three seconds in starts an Apple Pay transaction. Since your thumb is already on the home button, this will vanish as fast as Touch ID works, which is less than a second, then the payment is made while the countdown continues in the background. If you looked away for the duration of the countdown you might never notice the payment happened.

Re:Something seems off

[Darinbob]

All the more reason that you should never give any personal financial data to your phone. It can't charge you if it doesn't know your credit or bank card number.

Re:Something seems off

[phalse+phace]

I thought iOS blocked access to the fingerprint scanner but it clearly provides enough information to know when your thumb is on the home button.

iOS doesn't block apps from accessing TouchID. That would defeat its purpose.

Many apps use TouchID for logging in (no more passwords to remember) or to process a transaction (e.g. using Starbucks app and TouchID to reload money to a gift card)

Re:Something seems off

All the more reason ...

... for every transaction to be confirmed by a password. This is why I'm against auto-pay on Google Wallet and 'always logged-in' on PayPal. Google wallet, at least, accepts my need for security.

Re:Something seems off

[_merlin]

Well the solution would be to provide some amount of guard band, like a "Please remove your finger and read this" prompt if you have a finger on the sensor before the message appears.

Re:Something seems off

[93+Escort+Wagon]

That’s not what I said. The app basically hands the request for a purchase off to iOS, then iOS tells the app whether the verification was successful or not. The app itself has no say in the duration of the window’s appearance - the transaction is managed by iOS.

Re:Something seems off

[tlhIngan]

If itâ(TM)s a regular App Store or Apple Pay transaction, the app doesnâ(TM)t control the request for you to scan your fingerprint - so I donâ(TM)t see how it can pop up âoejust for a secondâ.

I think thereâ(TM)s some information possibly being withheld here.

I suspect the following is what happens:

1) The app has somehow done something to put up a window on top of system notifications. Draws a "Use touch ID to log in" type message.
2) The app then commands a in-app payment from the user. This pops up a dialog basically asking the user to confirm or deny the payment.
3) Because of exploiting (1), the app drawn window obscures the message.
4) iOS interprets the use of Touch ID as confirmation of the payment
5) Because of something in the background (app store processing - it can hang the UI thread it seems), the app loses control of the top level window it's forcing, iOS draws the confirmation dialog so it appears
6) When the app gets notification that the user paid, it removes the message as well.

Step 5 happens, and sometimes when music is playing by the app, the music is paused, which seems to indicate while app store processing is done, either a thread or the entire app is suspended temporarily losing control of whatever it was doing.

I would suspect somehow the app manages to draw over the App Store dialogs somehow - whether it's through a view bug or a Z-buffering bug or just doing something that somehow causes the window Z order to be incorrect briefly.

Though I thought usually the dialog first asks for confirmation to which you must say yes or no before you can even authenticate the purchase next, so the app must trick you into tapping a particular part of the screen first...

Though I wouldn't feel too bad for the people tricked - they can get a refund through Apple.

Re:Something seems off

Probably a good idea, like "Processing payment, please remove your finger and touch the sensor when instructed to do so" or similar. Granted, I can't fault Apple here and I'm about as anti-apple as can be. I would have never thought of that on my own.

Re:Something seems off

[crunchygranola]

Yes, the inherent problem with a phone-camera (not a camera-phone). It is primarily a phone, not a camera. You don't want the device to end up like in Spy Kids 3 bit with Machete's multi-function watch that no longer tells time (something had to go). Or... maybe we do...

Re:Something seems off

[_merlin]

You must have never worked with safety-critical equipment. This kind of interface design is common in robotics and heavy machinery.

Seems fair

[TimMD909]

$120 is a pretty good deal for a semester in the school of hard knocks. Compare it a DUI that costs of $9000 (you're already thinking of DBZ, cuz you lost the game), and it's obvious this a better ROI with less risk to others.

Re:Seems fair

$120 is a pretty good deal for a semester in the school of hard knocks. Compare it a DUI that costs of $9000 (you're already thinking of DBZ, cuz you lost the game), and it's obvious this a better ROI with less risk to others.

At that precise point in your sentence I was thinking that you're an alcoholic that believes everyone else is too. I'm not sure I really feel like the loser in this situation, and we haven't even discussed the apparent anime reference.

Re: Lol at fatties

This is why I am ok with the Apple App store always taking 30% off the top. You don't see these kinds of scams in the Apple App Store, only on shady internet sites that require you to sideload or jailbreak your phone. Apple needs their thirty percent cut or they couldn't protect people from scams like these. That thirty percent Lets them do a serious analysis of every program being submitted, to look for shady things like this. Stay in the walled garden, it is safe.

Oh, wait, you said this is on iPhones? Then it is just a rogue actor. Omelet, broken eggs. Not a big deal. Nothing to see here.

More mainstream apps too.

[rworne]

The iHeartRadio app pulls similar bullshit, just not as scammy.

Shortly after bringing up the app, and around the time you select starting your feed, a near full-screen ad pops up asking if you want a subscription, with a cancel "X" in the top corner and a "Purchase button" on the bottom. Problem is, the whole ad surface is actually a purchase button unless you tap the small area with the "X". If you mess up and have FaceID or touch the home button, it immediately attempts a transaction.

Re:More mainstream apps too.

[ctilsie242]

This can be an easy fix on Apple's part. Just like when an app asks for permissions with the camera or accessing contacts, iOS should prompt the user and state that the app is wanting to have access to the fingerprint scanner for payments. Perhaps have a dialog that only allows access for "x" amount of time before iOS requests permissions for the app to use the fingerprint scanner again, and showing the user what things the app might ask for in in-app payments.

Payment by Phone

[nukenerd]

With payment by phone, expect plenty more scams like this.

Re:Most apps are shit ...

[ctilsie242]

Apps went downhill when IAP was introduced into iOS, around the 5.0 mark. Games went from entertaining and interesting to way difficult, forcing one to buy in game currency to get past a hurdle, or wait 8-16 hours. Apps also started doing everything they can to try to upload as much data as possible. For example, why would a flashlight app demand access to the phone, contacts, music library, GPS, text messages, and everything else.

Now, we are just seeing the next step in this. Apps trying to phone home with as much data as possible are not making money, so we are now seeing them hit IAP. Realistically, the app makers who can pull this won't be punished. At worst, Apple might find a mechanism to stop that, but the people who crafted the scam will end up making money big time.

Any app can do this. For example, a security app which prompts the user to authenticate to log in can ask for that... then pop up an IAP dialog and make a couple C-notes. This could be done randomly, even perhaps with some AI scanning to find the ideal mark, perhaps teenagers who wouldn't be reporting this to parents for fear their device would be taken away.

what weren't you thinking?

[epine]

It's a simple cost of doing business for any consumer who wires their bank credentials into the cloud, and then runs random applet downloads in the same sandbox.

So you put a wall-sized aquarium in your nursery with your newborn twins, and inside the aquarium you stock a giant python or cobra, and then you get yourself a riced-out 1 hp Roomba from Akihabara, just because, and then you download an experimental, indoor auto-mapping package for said Roomba from some applet pop-shop located in a dusty, foreign currency–starved minor-dictatorship whose borders you could barely sketch onto the right continent.

What could possibly go wrong?

If they have a credit card registered?

[slazzy]

You can't even download a free app without a credit card registered.

Re:If they have a credit card registered?

[CanadianMacFan]

You can register a gift card and download apps with that.