TEHRAN (Press Shia Agency) – Users on Reddit reported over the weekend that at least two highly rated Apple apps abused the iOS Touch ID feature to swindle users out of sums of more than $100.
The offending “Fitness Balance app” and “Calories Tracker app” promised to calculate body mass index, monitor calorie intake, and provide other health-related services. With no advanced warning, according to Reddit posts here and here, the apps charged users fees of $99.99, $119, or 139 Euros, depending on the country of the user. Users who had a credit or debit card connected to their Apple account were immediately billed.
The scam worked by displaying a message as soon as the app was opened. It told users to scan their fingerprint to view a calorie tracker or receive another personal service. When users complied, the apps displayed a popup window that said they had been charged a fee. Less than two seconds later, the popup disappeared, but by then it was too late for many users. Anyone with a card linked to their Apple account was already charged, Ars Technica reported.
“So what it does is ask you to keep your finger at the fingerprint, and then the popup for paying for the app shows up,” a Reddit user with the handle kristikoroveshi94 reported. “Since you have already your finger there, the payment continues. And damn what a price this shitty app has. Luckily I don’t have a linked card or paying account.”
Apple removed both apps over the weekend, shortly after the Reddit posters reported them. People who had been charged reported that their requests for refunds were being processed and were expected to be completed in the next 30 days. Company representatives didn’t respond to a request for comment for this post.
The apps carried rave reviews that were most likely written by people connected to the scam. Fitness Balance app had an average rating of 4.3 stars out of a total of five possible. While Apple responded quickly and all indications are that scammed users will receive refunds, the incident is a reminder that the App Store isn’t immune to scams and malicious apps. iOS users should remember to read a wide selection of reviews before installing unfamiliar apps.
Lukas Stefanko, a researcher with antivirus provider Eset, says here that iPhone X users can protect themselves against these types of scams by making use of a feature called “Double Click to Pay,” which requires a double-click of the side button to verify a payment.