{"id":4543,"date":"2018-12-04T11:32:08","date_gmt":"2018-12-04T06:02:08","guid":{"rendered":"https:\/\/qadit.com\/blog\/scam-ios-apps-promise-fitness-steal-money-instead\/"},"modified":"2018-12-04T11:32:08","modified_gmt":"2018-12-04T06:02:08","slug":"scam-ios-apps-promise-fitness-steal-money-instead","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/scam-ios-apps-promise-fitness-steal-money-instead\/","title":{"rendered":"Scam iOS apps promise fitness, steal money instead"},"content":{"rendered":"<p><strong>Fitness-tracking apps use dodgy in-app payments to steal money from unaware iPhone and iPad users.<br \/>\n<\/strong><\/p>\n<p>Multiple apps posing as fitness-tracking tools were caught misusing Apple\u2019s Touch ID feature to steal money from iOS users. The dodgy payment mechanism used by the apps is activated while victims are scanning their fingerprint seemingly for fitness-tracking purposes.<\/p>\n<p>There are many apps that promise to assist users on the way to a healthier lifestyle. The bogus apps were, until recently, available in the Apple App Store. The apps were called \u201cFitness Balance app\u201d and \u201cCalories Tracker app\u201d, and at first glance appeared to put users on the road to fitness \u2013 they could calculate the BMI, track daily calorie intake, or remind users to drink more water. These services, however, came with an unexpectedly hefty price tag, according to Reddit users.<\/p>\n<p>After a user fires up any of the above mentioned apps for the first time, the apps request a fingerprint scan to \u201cview their personalized calorie tracker and diet recommendations\u201d (Figure 1). Only moments after the user complies with the request and places their finger on the fingerprint scanner, the apps then display a pop-up showing a dodgy payment amounting to 99.99, 119.99 USD or 139.99 EUR (Figure 2).<\/p>\n<p>This pop-up is only visible for about a second, however, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams.<\/p>\n<p>Based on the user interface and functionality, both apps are most likely created by the same developer. Users have also posted videos of \u201cFitness Balance app\u201d and \u201cCalories Tracker app\u201d on Reddit.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2018\/12\/Figure-1.png\" alt=\"Scam iOS apps\" height=\"1082\" width=\"999\" \/><\/p>\n<p>Figure 1 \u2013 Scam apps in Apple\u2019s App Store require users to scan their fingers for fitness tracking (Image source: Reddit)<\/p>\n<p><a href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2018\/12\/Figure-2.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2018\/12\/Figure-2.png\" alt=\"Scam iOS apps\" height=\"1082\" width=\"1200\" \/><\/a><\/p>\n<p>Figure 2 \u2013 Dodgy payment popping up in \u201cFitness Balance app\u201d and \u201cCalories Tracker app\u201d (Image source: Reddit)<\/p>\n<p>If users refuse to scan their finger in \u201cFitness Balance app\u201d, another pop-up is displayed, prompting them to tap a \u201cContinue\u201d button to be able to use the app. If they comply, the app tries to repeat the dodgy payment procedure.<\/p>\n<p>Despite its malicious nature, the \u201cFitness Balance app\u201d received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews. Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps.<\/p>\n<p>Victims already reported both of these apps to Apple, which led to their removal from the market. Users even tried to directly contact the developer of \u201cFitness Balance app\u201d, but only received a generic response promising to fix the reported \u201cissues\u201d in the upcoming version 1.1 (Figure 3).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2018\/12\/mailToDeveloper1.jpg\" alt=\"Scam iOS apps\" height=\"731\" width=\"750\" \/><\/p>\n<p>Figure 3 \u2013 Users who directly contacted the developer received what seems to be an automatic reply<\/p>\n<h2><strong>What can users do to avoid similar threats?<\/strong><\/h2>\n<p>As Apple doesn\u2019t allow security products in its App Store, users need to rely on the security measures implemented by Apple.<\/p>\n<p>On top of that, ESET advises users to always read reviews by other users. As positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.<\/p>\n<p>iPhone X users can also activate an additional feature called \u201cDouble Click to Pay\u201d, which requires them to double-click the side button (Figure 4) to verify a payment.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2018\/12\/sideButton3.jpg\" alt=\"Scam iOS apps\" height=\"1200\" width=\"563\" \/><\/p>\n<p>Figure 4 \u2013 The side button verification feature in premium iPhone X<\/p>\n<p>Those who already fell victim to this scam can also try to claim a refund from the Apple App Store.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fitness-tracking apps use dodgy in-app payments to steal money from unaware iPhone and iPad users. Multiple apps posing as fitness-tracking tools were caught misusing Apple\u2019s Touch ID feature to steal money from iOS users. The dodgy payment mechanism used by the apps is activated while victims are scanning their fingerprint seemingly for fitness-tracking purposes. There &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/qadit.com\/blog\/scam-ios-apps-promise-fitness-steal-money-instead\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Scam iOS apps promise fitness, steal money instead&#8221;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[1],"tags":[],"class_list":["post-4543","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-1bh","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=4543"}],"version-history":[{"count":0,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4543\/revisions"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=4543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=4543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=4543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}