Another fraudulent scheme discovered by experts on cybersecurity — hackers steal money from people who download apps for fitness. The victim even suspects that robbed her — she just puts a finger to the fingerprint scanner, and the money is debited automatically.
Flick of a finger
Several apps from the App Store was seen in monetary fraud in which the user independently activated cash transaction using the finger scanner Touch ID. This “Газете.Ru” told from the press service of ESET.
Threat app called Fitness Tracker Calories and Balance and were intended to monitor the physical health of the user — they calculated the body mass index and daily calorie intake, and also reminded in time to use water. Despite the fact that their download was free using these apps could hurt affect the user’s wallet, as both programs were created by the scammers.
When the victim was first incorporated application, it was proposed to use the fingerprint scanner, “to get personalized calorie counter and advice on diet.”
Once the user applies his finger to the scanner on the screen for a second window appears, indicating that approved the purchase of $100-120, and then immediately disappears.
Smartphone owner may not even understand what happened, but if to his Apple account tied to a credit card, the payment takes place automatically, as it was approved with Touch ID. The principle of operation of the fraud in his Twitter has published a security expert Lucas Stefanko.
Scam iOS apps has been found on the Apple App Store tricking users to pay over $100
Apps ask for fingerprint right at the moment when paying pop-up shows, which is accepted by the user fingerprint. https://t.co/7WwT6bhsLF pic.twitter.com/BYZvd7p0VD— Lukas Stefanko (@LukasStefanko) 3 Dec 2018
If the user refuses to put the finger, another little window POPs up asking to click on “Continue” to start using the application. After that, the program tries to involve the victim to conduct illegal transaction.
As the interface and functionality of the app was probably created by one and the same developer.
Currently, both programs removed from the AppStore after complaints from users, but the app managed to prove itself — for example, the Fitness Balance rating is 4.3 stars out of five. With the help of fake positive reviews and scores rating the scammers are trying to disguise a malicious app to get more users to download it.
This tactic has proved successful — according to analyst firm Sensor Tower, in November 2018 Fitness Balance managed to “earn” about $10 million, and the Calories Tracker is $60 thousand.
As explained “Газете.Ru” specialist technical support products ESET Russia Boris Sobolev, app creators deliberately violated the guidelines [instructions] in the course of development.
“Force user to put the finger under the guise of collecting information, at the same time opening a request for a purchase using Apple Pay. It is obvious signs of malicious behavior: such applications should not be placed in the official AppStore. Think what Apple could introduce additional checking procedures to keep users from fraud using such a scheme,” — said the expert.
To protect yourself from such fraudulent schemes
the information security specialists suggest to carefully read the reviews of the applications, focusing on the negative — that they most accurately reflect the nature of the program.
In addition, it is recommended to complicate the process of confirmation of payment from your device to prevent accidental purchases — this feature on some smartphones. For example, on iPhone X, you can connect a function that will approve the transaction only after double pressing the side button.
Deceived in shop
Despite the fact that the App Store has a reputation as a more secure service than other app stores, the attacker is not the first time manage to cheat the system. In 2017, revealed a large number of applications, to extort money for a fake subscription. For example, the application function VPN charged the victim $99 on a weekly basis, while not providing any useful services.
This app earned $80 thousand a month before it was detected and removed from the App Store.
Another application which is a QR scanner, offering the user to sign on a free trial period of use. However, if consent to the conditions of free subscription, the victim automatically agreed to a weekly payment of $1, which were written off without its participation.
Despite the fact that such programs do not carry a direct threat of infection, they are also considered to be fraudulent, so as to fraudulently force the user to pay for services that he did not need. To identify such applications is more difficult than the viruses, and because many of them are still available in the official app stores.
Read more •••