One of the joys of Touch ID is how seamlessly it works. It rarely takes more than an instant to unlock your iPhone or approve a purchase. But recently a handful of scam apps have turned that ease of use against anyone unlucky enough to download them.
In separately reported incidents, apps posing as health assistants invite users to use Touch ID before they show a calorie tracker, or take a heart rate measurement, or some other seemingly legitimate function. Once you scan your fingerprint, though, the apps briefly show an in-app purchase popup instead, charging anywhere from $90 to $120, and simultaneously dim the screen to make it hard to see the prompt. In some cases, even if you decline to use Touch ID to enable a feature, the app asks you to tap to continue—and try the in-app payment scam instead.
Charging exorbitant, unscrupulous fees within apps violates Apple’s App Store guidelines; the apps in question, innocuously named “Heart Rate Monitor,” “Fitness Balance app,” and “Calories Tracker app,” have all been pulled. It’s unclear if they came from separate developers, or one person operating multiple developer accounts. Either way, to pull off the scam they all rely not on malware but on duplicity—and an insight into how we use Touch ID.
“As soon as you put your finger on there, it starts scanning, so it’s ready and acting very quickly,” says Stephen Cobb, senior security researcher at cybersecurity firm ESET, which wrote about two of the bogus apps Monday. “Someone cleverly figured out they could use the way that’s implemented to get people to do things that they don’t want to do.”
Touch ID has long been used for more than just unlocking your iPhone, after all. You use it for Apple Pay and for authentication on various apps. It’s fast, it’s easy, and it works, which means you’re less likely to give much thought to using it when an app asks you to. And when you do put your finger on the home button, there’s no extra prompt to confirm that you actually meant to.
“Crooks will often come up with clever ideas to bypass initial screening mechanisms.”
Jérôme Segura, Malwarebytes
Cobb compares the scenario to the early days of QR codes, when scanners had no built-in mechanisms to verify where that square of black squiggles would send you. “This is exactly the same thing,” he says. “This great idea for a novel form of input, your fingerprint, has been enabled in a wide range of programs. The fact that there’s no confirmation step involved in the way that this input is set up enables you to bypass user confirmation.”
It’s unclear how many people actually lost money to the scams, although a recent Reddit thread indicates that a least a few have. More troubling, though, is the grift’s reproducibility. The App Store’s initial vetting may be thorough, but bad actors still find ways around it, especially after they get that initial approval.
“Rogue apps are a problem for both iOS and Android, although they tend to be less prevalent for the former due to a more locked down ecosystem,” says Jérôme Segura, head of threat intelligence at cybersecurity firm Malwarebytes. “However, crooks will often come up with clever ideas to bypass initial screening mechanisms. Over time, they will push out updates to the app and adjust in-app purchases, where most of the problems and abuses lay.”
The good news is that anyone with an iPhone X or later won’t get caught up in the fraud, since those devices don’t have a home button to begin with. To use Apple Pay with Face ID, you need to double-click the side button on those devices.
That doesn’t help for older iPhones, though, of which there are plenty still in use. The best anyone with an iPhone 8 or earlier can do is stay vigilant, and only use Touch ID on apps they have reason to trust. Apple, too, could help reduce the likelihood of this type of scam with more stringent ongoing reviews of apps, or by introducing some sort of extra confirmation mechanism to Touch ID, although either of those would create their own frustrations. Which, unless the scale of these cams increases dramatically, may not make sense for Cupertino, especially with Touch ID being gradually phased out as of last year. Apple did not respond to a request for comment.
“Once again, convenience and ease of use brought by new technologies come back to haunt us,” Segura says. “While validating payments with the touch of a finger is a seamless experience, it can unfortunately be abused by scammers just as easily.”