Apple has removed a pair of fake fitness apps from its App Store after they tricked users into making expensive purchases via the Touch ID biometrics feature.
Named the “Fitness Balance app” and “Calories Tracker app,” the two malicious programs cleverly instruct victims to scan their fingerprints in order to view their personalized calorie tracker and diet recommendations. But in reality, the scan is used to verify a payment of $99.99 or more.
The app announces these payments in a sneaky pop-up window that appears for approximately one second before promptly vanishing. "...If the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," wrote ESET researcher Lukas Stefanko, who detailed the scam in a Nov. 3 company blog post, citing user complaints posted on Reddit.
Reportedly, the Fitness Balance app doesn't take "no" for an answer. If the user doesn't scan his or her finger, the app presents another pop-up featuring a "Continue" button. But pressing that button just starts the process over, repeating the app's attempt to force a payment using Touch ID.
According to Stefanko, the apps purported to calculate body mass index, monitor daily calorie intake, and provide users with reminders to hydrate. The Fitness Balance app even received numerous five-star ratings and at least 18 positive reviews, but presumably these were added by the scammers.
SC Media has reached out to Apple for comment.