Two Malicious iOS Fitness Apps Detected and Removed
Two malicious iOS fitness apps, which were being used to cheat users and rob them of their money, have been detected and consequently removed.
The two apps- “Fitness Balance app” and “Calories Tracker app”- were being used to trick users into approving TouchID payments via misleading pop-ups.
Users who got scammed by these apps have been discussing this issue on Reddit since late last week; as per the discussions, it’s clear that both these apps exhibited similar behavior.
One of the users discussing the issue in the Reddit thread says, “So what it does is asking you to keep your finger at the fingerprint, and then the popup for paying for the app shows up. Since you have already your finger there, the payment continues.”
Another user adds, “‘When you open the app it asks you to scan your finger to view your calories, but then an in app purchase pop up appears for $120 and since your finger is already on the Touch ID sensor the payment goes through. Very shady ‘”
The users are first lured into installing these fake fitness apps. As the apps are started for the first time, the users are asked to put their finger on the TouchID sensor to set up and access their content. But the apps would actually be initiating payments in the background, about which the users would remain ignorant.
Mobile security researcher Lukas Stefanko, who works for ESET, has discussed this issue in WeLiveSecurity, wherein he says, “Multiple apps posing as fitness-tracking tools were caught misusing Apple’s Touch ID feature to steal money from iOS users. The dodgy payment mechanism used by the apps is activated while victims are scanning their fingerprint seemingly for fitness-tracking purposes.”
He adds, “There are many apps that promise to assist users on the way to a healthier lifestyle. The bogus apps were, until recently, available in the Apple App Store. The apps were called “Fitness Balance app” and “Calories Tracker app”, and at first glance appeared to put users on the road to fitness – they could calculate the BMI, track daily calorie intake, or remind users to drink more water. These services, however, came with an unexpectedly hefty price tag, according to Reddit users.”
Stefanko goes on to explain that once a user fires up one of these apps, it requests a finger scan stating that it’s for viewing the user’s “personalized calorie tracker and diet recommendations”. The user would most likely comply with this request and moments later the app would display a pop-up showing a dodgy payment, which would amount to 99.99 USD, 119.99 USD or 139.99 EUR. The pop-up would be visible for just a second and users who kept their gaze on the screen could spot the dodgy transactions.
Moreover, if the user has a credit or debit card that’s connected to his Apple account, the transaction is automatically considered verified. The money, without any actual payment being made from the user’s side, is thus wired to the operator of the scams.
It seems, based on the functionality and the user interface, that it’s the same developer who’s behind both these malicious apps.
If a user refuses to scan his fingers, the app would refuse to start, and the same finger-scanning screen would appear in a loop. The user would finally have to either give in or uninstall the app.
An interesting thing about these fake apps is that both of them have got high user ratings. Lukas Stefanko explains why this has happened- “Despite its malicious nature, the “Fitness Balance app” received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews. Posting fake reviews is a
well-known technique used by scammers to improve the reputation of their apps.”
A user, as is evident from the Reddit discussion thread, even contacted the developer of one of the apps, who responded with a generic response assuring the user that the issue would be fixed in the new version.
After affected users reported the issue to Apple, both the malicious apps were removed from the Apple App Store.
Kevin Jones720 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.