iOS TouchID used to Automatically Charge Users through Scam Fitness Apps
ESET security researcher Lukas Stefanko reported that two iOS fitness apps, “Fitness Balance” and “Calorie Tracker,” were abusing Apple’s touch-to-pay feature in an attempt to charge users without their consent. These apps displayed pop-ups prompting users to scan their fingerprint in order to unlock calorie trackers and diet recommendations; however, doing so would result in an automatic charge attempt against the user’s credit card, ranging from $99-139. Users who had “Double Click to Pay” enabled were protected against the charge. The apps also had phony positive reviews in the app store, making them appear more legitimate. Apple is aware of these scams and has removed the apps from the App Store. To protect yourself against automatic app charges, the NJCCIC recommends iPhone X users enable the “Double Click to Pay Feature” and all other iPhone users disable TouchID for payments by going to Settings, then Touch ID & Passcode, and disabling "User Touch ID for iTunes & App Store." You can further protect yourself by evaluating negative app reviews to determine an app’s legitimacy, and by visiting our iOS malware threat profile for additional security recommendations. Victims of the scam can submit a report to Apple here.