Apple Removes Two Apps That Tricked Users into Approving Touch ID Payments

• Two malicious apps were discovered on the Apple App Store that tricked users into authorizing Touch ID using misleading pop-ups.
• The Fitness Balance app and the Calories Tracker app were caught trying to steal $99.99 per transaction.
• Both apps have been removed from the App Store last week after being caught.

Despite Apple’s stringent measures to keep the App Store safe from security incidents, two apps managed to trick users into automatically approve payments using Touch ID. Fitness Balance and Calories Tracker were caught using misleading popups to authorize Touch ID payments. The apps required users to use Touch ID when firing up the app for the first time to get access to the content.

Both the apps were designed by the same developer and showcased similar behavior. According to security researcher Lukas Stefanko who works as a mobile security researcher at ESET, the apps were not only dishonest with the pop-ups but also deployed fake reviews to boost ratings. According to Stefanko "Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps.”

Image Courtesy of ESET

Users who are accustomed to iOS easily guessed that something was wrong with the popups and it is not normal for an app to request Touch ID approval on Apple devices for simply accessing its content. Another red flag that affected users could have spotted was the presence of the transaction payment details. The payment details appeared for a short period before disappearing. Users who approved the Touch ID and had a payment card registered on their App Store accounts had $99.99 deducted on approval. Users who chose not to start the apps due to the suspicious requests were not able to access the apps at all.

Users who were affected can reach out to Apple about refunds. The tech giant will be refunding all fraudulent transactions to the original owners’ accounts. Payment details have not been stolen by the developers and users do not need to worry about their Touch ID details.

What do you think about the two apps phishing payments from Apple users? Let us know in the comments below. And also, don’t forget to follow us on Facebook and Twitter. Thanks!