iOS Apps Exploiting Touch ID To Scam Users

Several iOS fitness apps have been deleted from the App Store after they were found trying to scam users into authenticating payments and charging them a fee from $99 to $139.

WeLiveSecurity recently detected some apps’ suspicious activities as they asked users to place their fingers on the fingerprint scanner with the purpose of collecting health data. However, they exploit these Touch ID data to authenticate payments.

A process which usually took users more than a few seconds using complicated passwords, to a few seconds using four or six-digit PIN, was now reduced to about a second using fingerprint methods. Users have reported that at least three fake fitness apps were trying to scam them into using their Touch ID to make a high fee payment. After receiving the complaints, ‘Fitness Balance’, ‘Calories Tracker’ and ‘Heart Rate Monitor’ have then been deleted by Apple. These three apps all used the same method as mentioned above.

A Reddit user already started a topic about this incident, in which many people commented they were also tricked since the message for payment authentication pop up when they were scanning their finger for heart rate measuring or any other health relating information.

Because a great deal of users uses Touch ID for payment authentication, the fraudsters take advantage of this. Moreover, because of the speed of authentication using Touch ID, before users completely understand what is happening, the payment of $99.99 has already been made.

To make these scammy apps seem legitimate and to ensure people will fall for it, fake reviews were posted. These apps were even rated 5-star on the App Store. Victims trying to contact the developers of the app after being scam would receive a reply saying that it was only a bug and everything will be fixed after an update.

The good news is that this incident can be prevented if users disable iTunes and App Store‘s Touch ID payment authentication feature.