Beware of cunning fraud with a Touch ID that entered the App Store

One of the advantages of the Touch ID system is how well it works. It rarely takes more than one moment to unlock an iPhone or approve a purchase. Recently, however, several fraudulent applications have turned this ease of use into a weapon against anyone who is not lucky to download them.

Several unrelated sources report applications that are supposedly related to health monitoring, offer users to track calories consumed, measure heart rate or take action, or other legitimate actions. After you scan a fingerprint, such an application quickly displays a pop-up window with an internal purchase and deducts from $ 90 to $ 120, at the same time reducing the brightness of the screen so that this window is difficult to see. In some cases, even if you refuse to use the Touch ID, the application asks you to click a button to continue, and tries to make an internal payment.

It is impossible to take exorbitant, unscrupulous amounts from users within applications by the rules of the Apple App Store; the applications described, called the named “Heart Rate Monitor”, “Fitness Balance app” and “Calories Tracker app”, have already been removed from there. It is not known whether one developer made them under different accounts or different ones. In any case, their work was not based on malware, but on simple deception - and on a good understanding of how we use Touch ID.
')
“As soon as you put your finger on the button, it starts scanning, so it’s ready in advance and works very quickly,” says Stephen Cobb, chief security researcher at an information security company ESET, who wrote about two fake applications on Monday. “Someone cunning invented and embodied a way in which people could be made to do something they didn’t want.”

The Touch ID system has long been used not only to unlock the phone. It is used for Apple Pay and authorization in various applications. Working with it is quick and easy, so users no longer think about it when asked by the application. And when you put your finger on the "Home" button, there is no additional request confirming that you have done this on purpose.

Cobb compares this scenario with the early era of QR codes, when the scanners had no defense mechanism that checked where they would send you a small square with black squiggles. “It's absolutely the same thing,” he says. - Great idea, new input type, fingerprint reader, allowed us to create a huge variety of programs. The absence of a confirmation step allows you to bypass the user's confirmation. ”

It is not known how many people lost money because of these fraudulent activities, although at least a few people responded to a recent thread on Reddit . Worse that this approach is easy to reproduce. Perhaps the initial selection of programs for the App Store goes and carefully, but fraudsters will be able to bypass it, especially after receiving initial approval.

“Fraudulent apps are a problem for both iOS and Android, although they are smaller for the first OS because of a more closed ecosystem,” said Jerome Segura, head of threat research at Malwarebytes. “However, fraudsters often come up with tricky ideas to circumvent the initial checks. Over time, they update the applications, and correct the procedures for internal purchases - where most of the problems are concentrated. ”

The good news is that people with iPhone X and newer models will not have such problems, primarily because these models do not have a Home button. And to use Apple Pay through Face ID, you must double-click on the side button.

But this is not easier for older iPhones - and still there are still a lot of these models on hand. The best that owners of iPhones can do up to the 8th model is to stay alert and use Touch ID only in applications that have reasons to trust. Apple, for its part, can also reduce the likelihood of success of such a scam by more rigorously evaluating applications or entering an additional confirmation step to use Touch ID, although such measures will cause additional irritation. And it probably will not make any sense for Cupertino, unless the scale of such problems does not increase to unacceptable sizes - especially due to the fact that the Touch ID is gradually withdrawn from circulation in the last year.

“I repeat that the convenience and ease of use of new technologies can turn to us the other side,” says Segura. “Confirming purchases with the touch of a finger is a seamless procedure, but unfortunately, fraudsters just as easily can use it to harm.”