Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Fake fitness apps steal money using Apple’s Touch ID feature

Apple has removed a pair of fake fitness apps from its App Store after they tricked users into making expensive purchases via the Touch ID biometrics feature.

Named the “Fitness Balance app” and “Calories Tracker app,” the two malicious programs cleverly instruct victims to scan their fingerprints in order to view their personalized calorie tracker and diet recommendations. But in reality, the scan is used to verify a payment of $99.99 or more.

The app announces these payments in a sneaky pop-up window that appears for approximately one second before promptly vanishing. "...If the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams," wrote ESET researcher Lukas Stefanko, who detailed the scam in a Nov. 3 company blog post, citing user complaints posted on Reddit.

Reportedly, the Fitness Balance app doesn't take "no" for an answer. If the user doesn't scan his or her finger, the app presents another pop-up featuring a "Continue" button. But pressing that button just starts the process over, repeating the app's attempt to force a payment using Touch ID.

According to Stefanko, the apps purported to calculate body mass index, monitor daily calorie intake, and provide users with reminders to hydrate. The Fitness Balance app even received numerous five-star ratings and at least 18 positive reviews, but presumably these were added by the scammers.

SC Media has reached out to Apple for comment.


Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.