Researchers discovered two iOS fitness apps available in Apple’s App Store that attempt to scam users out of $99-$119. The two apps are called Calories Tracker app and Fitness Balance App. When the user opens the app, they will be asked to give their fingerprint in order to view the calorie tracker and diet recommendations. If the user places their finger on the scanner, the app will try and charge the victim’s saved payment source anywhere from $99-$119. iPhone X users are protected if “Double Click to Pay” is enabled, while older iPhone users would be charged automatically if there is a payment source on the device. Users attempted to reach out to the developer of the Fitness Balance app and they received what appeared to be an automated messaged describing that the issues will be fixed in the upcoming versions. Users also reported the apps to Apple and Apple has since removed the apps from the App Store.
Analyst Notes
If it is available, enable the Double Click to Pay feature to prevent apps like this from being able to create fraudulent purchases this way. Whether this feature is available or not, it’s also good to know when authentication prompts like this should appear. Biometric prompts like fingerprint scanners shouldn’t appear just to open an app. Typically, they should only appear in places a normal password prompt might appear (ex. A banking app login screen) or to confirm a purchase on the app store.
