Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two iOS Fitness Apps Were Caught Using Touch ID To Trick Users Into Payments of $120 (threatpost.com)

Posted by BeauHD on from the sneaky-bastards dept.

secwatcher shares a report from Threatpost: Two apps that were posing as fitness-tracking tools were actually using Apple's Touch ID feature to loot money from unassuming iOS victims. The two impacted apps were the "Fitness Balance App" and "Calories Tracker App." Both apps looked normal, and served functions like calculating BMI, tracking daily calorie intake or reminding users to drink water; and both received good reviews on the iOS store. However, according to Reddit users and researchers with ESET, the apps steal money -- almost $120 from each victim -- thanks to a sneaky popup trick involving the Apple Touch ID feature.

According to heated victims who took to Reddit to air their complaints, after a user launches one of the apps, it requests a fingerprint scan prompting users to "view their personalized calorie tracker and diet recommendations." After the users use Touch ID, the app then shows a pop-up confirming a payment of $119.99. The pop-up is only visible for a second, according to users. "However, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," said Lukas Stefanko, malware analyst with ESET security, in a Monday post on the scam.

7 of 64 comments (clear)

  1. Unassuming != unsuspecting. by 140Mandak262Jamuna · · Score: 3, Informative

    Come on. Who writes these abstracts? Google Translate?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  2. Something seems off by 93+Escort+Wagon · · Score: 3, Interesting

    If it’s a regular App Store or Apple Pay transaction, the app doesn’t control the request for you to scan your fingerprint - so I don’t see how it can pop up “just for a second”.

    I think there’s some information possibly being withheld here.

    --
    #DeleteChrome
    1. Re:Something seems off by _merlin · · Score: 3, Insightful

      Well the solution would be to provide some amount of guard band, like a "Please remove your finger and read this" prompt if you have a finger on the sensor before the message appears.

    2. Re:Something seems off by tlhIngan · · Score: 4, Insightful

      If itâ(TM)s a regular App Store or Apple Pay transaction, the app doesnâ(TM)t control the request for you to scan your fingerprint - so I donâ(TM)t see how it can pop up âoejust for a secondâ.

      I think thereâ(TM)s some information possibly being withheld here.

      I suspect the following is what happens:

      1) The app has somehow done something to put up a window on top of system notifications. Draws a "Use touch ID to log in" type message.
      2) The app then commands a in-app payment from the user. This pops up a dialog basically asking the user to confirm or deny the payment.
      3) Because of exploiting (1), the app drawn window obscures the message.
      4) iOS interprets the use of Touch ID as confirmation of the payment
      5) Because of something in the background (app store processing - it can hang the UI thread it seems), the app loses control of the top level window it's forcing, iOS draws the confirmation dialog so it appears
      6) When the app gets notification that the user paid, it removes the message as well.

      Step 5 happens, and sometimes when music is playing by the app, the music is paused, which seems to indicate while app store processing is done, either a thread or the entire app is suspended temporarily losing control of whatever it was doing.

      I would suspect somehow the app manages to draw over the App Store dialogs somehow - whether it's through a view bug or a Z-buffering bug or just doing something that somehow causes the window Z order to be incorrect briefly.

      Though I thought usually the dialog first asks for confirmation to which you must say yes or no before you can even authenticate the purchase next, so the app must trick you into tapping a particular part of the screen first...

      Though I wouldn't feel too bad for the people tricked - they can get a refund through Apple.

  3. More mainstream apps too. by rworne · · Score: 3, Informative

    The iHeartRadio app pulls similar bullshit, just not as scammy.

    Shortly after bringing up the app, and around the time you select starting your feed, a near full-screen ad pops up asking if you want a subscription, with a cancel "X" in the top corner and a "Purchase button" on the bottom. Problem is, the whole ad surface is actually a purchase button unless you tap the small area with the "X". If you mess up and have FaceID or touch the home button, it immediately attempts a transaction.

    --
    I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
    1. Re:More mainstream apps too. by ctilsie242 · · Score: 2

      This can be an easy fix on Apple's part. Just like when an app asks for permissions with the camera or accessing contacts, iOS should prompt the user and state that the app is wanting to have access to the fingerprint scanner for payments. Perhaps have a dialog that only allows access for "x" amount of time before iOS requests permissions for the app to use the fingerprint scanner again, and showing the user what things the app might ask for in in-app payments.

  4. Payment by Phone by nukenerd · · Score: 3, Insightful

    With payment by phone, expect plenty more scams like this.