Apps Exploiting Touch ID to Steal Money Booted Out by Apple

touch web

In yet another example of fake apps trying to scam users, multiple iOS fitness apps have been removed from the App Store after they were found trying to deceive users and charge a fee ranging from $99 to $139. WeLiveSecurity recently discovered that the apps asked users to use Touch ID to collect health data, but instead, they used the fingerprint data to authenticate a payment.

At least three fake fitness apps were reported by users trying to deceive them into making a payment from their App Store wallet by using Touch ID to pay a high fee. Following the complaints, Apple has removed ‘Heart Rate Monitor’, ‘Fitness Balance’ and ‘Calories Tracker’, all of which were trying to steal money from users using the same method.

Apps Exploiting Touch ID to Steal Money Booted Out by Apple

Multiple users have reported the incidents of scammy health and fitness apps trying to charge them an exorbitant fee for using the service on Reddit. But the worst part is that many have already fallen for the trick because the payment authentication message pops-up when their finger is on the Touch ID sensor for heart rate measurement or collecting any other vital information.

Apps Exploiting Touch ID to Steal Money Booted Out by Apple

The hack is quite simple and takes advantage of the fact that a large number of users utilize Touch ID for authenticating a payment. Moreover, the fast authentication speed makes it more convenient for the fraudsters to send a payment confirmation pop-up, and before users can completely process what is happening, the payment has already been completed using their fingerprint data.

To make the scammy fitness apps look legitimate, the fraudsters posted fake reviews of the fitness apps raving about its capabilities and giving it a 5-star rating on the App Store. Victims who contacted the app’s developers got a simple reply that it was due to a bug and will soon be fixed via an update. But the good news is that users can prevent getting scammed by disabling Touch ID payments for iTunes and the App Store.

VIA Wired
comment Comments 0
Leave a Reply