One of the joys of Touch ID is its seamless operation. It rarely takes more than a moment to unlock your iPhone or approve a purchase. Recently, however, a handful of fraud apps with this ease of use have been used against anyone unlucky enough to download them.
In separately reported incidents, apps that pretend to be healthcare professionals invite users to use the Touch ID before they view a calorie tracker. Heart rate monitor or some other seemingly legitimate feature. However, after scanning the fingerprint, the apps briefly display an in-app purchase popup that costs between $ 90 and $ 120. At the same time, the screen is dimmed so that the prompt can not be seen. Even if you decline to use the Touch ID to activate a feature, in some cases you will be prompted to continue, and instead try in-app payment fraud.
Charging exorbitant, unscrupulous charges in apps violates Apple's App Store policies; The apps in question, which were called harmless "Heart Rate Monitor", "Fitness Balance App" and "Calories Tracker App" were all pulled. It is unclear whether they come from separate developers or from a person who runs multiple developer accounts. In any case, to fight the scams, they are not dependent on malware, but on duplicity ̵
"As soon as you put your finger on it, the scan starts, so it's done very quickly," says Stephen Cobb, senior security researcher at cybersecurity firm ESET, who wrote about two of the fake apps on Monday. "Someone wisely found out that he could use the established way to get people to do things they did not want to do."
The Touch ID has long been used for more than unlocking your iPhone. They use it for Apple Pay and for authentication in different apps. It's fast, it's easy and it works, which means you will not think about using it when an app prompts you. And if you put your finger on the home button, there is no additional request to confirm that you really intended it.
"Crooks will often come up with clever ideas to circumvent the first screening mechanisms."
Jérôme Segura, Malwarebytes
Cobb compares the scenario with the beginnings of QR codes when scanners had no built-in mechanisms to check where the square of black flourishes would send you. "That's exactly the same," he says. "This great idea for a novel form of input, your fingerprint, has been made possible in a variety of programs. The fact that there is no confirmation step for setting up this input allows the user confirmation to be bypassed.
It is not clear how many people actually have lost money on the scams. Even more disturbing, however, is the reproducibility of the glasses. The initial review by the App Store may be thorough, but bad actors are still finding ways, especially after they've gotten that approval.
"Rogue apps are a problem for both iOS and Android, although they are less common on the Internet because of a blocked ecosystem," says Jérôme Segura, head of cybersecurity research at Malwarebytes. "The crooks, however, often have clever ideas to bypass the initial screening mechanisms. Over time, they will post updates to the app and adjust the in-app purchases, which are the most common problems and abuses. "
The good news is that anyone who has an iPhone X or later will not be there for fraud, since these devices do not have a home button. To use Apple Pay with Face ID, you must double-click the side button on the devices.
However, this is not helpful for older iPhones, many of which are still used. The best an iPhone 8 or earlier can do is stay alert and use Touch ID only for apps it can trust. Apple could also help lessen the likelihood of this type of fraud by running stricter ongoing app reviews or providing Touch ID with an additional verification mechanism, though both could cause them to be frustrated. What if the volume of these cams does not rise dramatically may not make sense to Cupertino, especially if Touch ID has been phased out since last year. Apple did not respond to a request for comment.
"Once again, the convenience and ease of use brought by new technologies will come back to us," says Segura. "Checking payments with a tap is a seamless experience, but can be as easily abused by scammers."
Other great WIRED stories