Apple has removed a pair of fake fitness apps from its App Store after they tricked users into making expensive purchases via the Touch ID biometrics feature. Named the “Fitness Balance app” and “Calories Tracker app,” the two malicious programs cleverly instruct victims to scan their fingerprints in order to view their personalized calorie tracker and diet recommendations. But in reality, the scan is used to verify a payment of $99.99 or more. The app announces these payments in a sneaky pop-up window that appears for approximately one second before promptly vanishing. “…If the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams,” wrote ESET researcher Lukas Stefanko, who detailed the scam in a Nov. 3 company blog post, citing user complaints posted on Reddit. Reportedly, the Fitness Balance app doesn’t take “no” for an answer. If the user doesn’t scan his or her finger, the app presents another pop-up featuring a “Continue” button. But pressing that button just starts the process over, repeating the app’s attempt to force a payment using Touch ID.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street