Victims attracted positive reviews and relatively high app ratings.
Reddit social networking users have pointed out suspicious applications in the official Apple App Store. Indeed, a pair of healthy lifestyle tools secretly tried to steal money from a linked credit card.
More information about the threat was published by Ars Technica.
Positive ratings were bait
Fitness Balance and Calories Tracker applications were designed especially for sports enthusiasts, as they followed the basic attributes of health, such as exercise, fitness, or calories burned.
According to the security company Eset, they were in the official App Store, with several 5-star ratings and a minimum of 18 positive reviews. The average rating was 4.3 out of 5. At first glance, these fitness tools did not raise any suspicion.
When you first start one of these applications, a pop-up window will appear asking you to take a fingerprint. Under the pretext of personalization (tracking calories burned, displaying dietary recommendations, etc.), the user should authenticate with their fingerprint.
The fingerprint will sign a payment
However, after successful verification, the application will attempt to steal from a linked credit card an amount of $ 99.99 to $ 119.99, or $ 139.99. Fingerprint capture is used to sign a payment, which the user only learns when it’s late. In fact, detailed payment information will only appear for a small moment.
If a user has a linked credit card to their account, the transaction is considered verified. The money is sent to the author of the malicious application at the moment – without further confirmation or authentication.
Apps have already been removed from the store
One of Reddit’s users tried to contact the author of malicious applications. But the answer was probably only automatic, in which the developer promised to fix the “bug” in the new version. Apple has meanwhile removed the problem applications. In addition, according to the Bleeping Computer portal, all concerned people can ask for a refund through the following link.
The preliminary results of the investigation also gave an answer to the question of how such a malicious application can have so many positive user reviews. These are fake reviews that make the app more visible and give the impression that it is a safe and useful fitness tool.
And how to protect yourself from similar threats? Users of the latest iPhone X can activate the optional “Double Click to Pay” feature. Others have to give up comfort and the only option is to deactivate the Touch ID for the iTunes Store and the App Store. See the official documentation on this link for instructions on how to do this.