New Scam Apps Take Advantage of iPhone Touch ID

Wired

One of the joys of Touch ID is how seamlessly it works. It rarely takes more than an instant to unlock your iPhone or approve a purchase. But recently a handful of scam apps have turned that ease of use against anyone unlucky enough to download them.

In separately reported incidents, apps posing as health assistants invite users to use Touch ID before they show a calorie tracker, or take a heart rate measurement, or some other seemingly legitimate function. Once you scan your fingerprint, though, the apps briefly show an in-app purchase popup instead, charging anywhere from $90 to $120, and simultaneously dim the screen to make it hard to see the prompt. In some cases, even if you decline to use Touch ID to enable a feature, the app asks you to tap to continue—and try the in-app payment scam instead.

Charging exorbitant, unscrupulous fees within apps violates Apple’s App Store guidelines; the apps in question, innocuously named “Heart Rate Monitor,” “Fitness Balance app,” and “Calories Tracker app,” have all been pulled. It’s unclear if they came from separate developers, or one person operating multiple developer accounts. Either way, to pull off the scam they all rely not on malware but on duplicity—and an insight into how we use Touch ID.

“As soon as you put your finger on there, it starts scanning, so it’s ready and acting very quickly,” says Stephen Cobb, senior security researcher at cybersecurity firm ESET, which wrote about two of the bogus apps Monday. “Someone cleverly figured out they could use the way that’s implemented to get people to do things that they don’t want to do.”

Touch ID has long been used for more than just unlocking your iPhone, after all. You use it for Apple Pay and for authentication on various apps. It’s fast, it’s easy, and it works, which means you’re less likely to give much thought to using it when an app asks you to. And when you do put your finger on the home button, there’s no extra prompt to confirm that you actually meant to.

“Crooks will often come up with clever ideas to bypass initial screening mechanisms.”

Jérôme Segura, Malwarebytes

Cobb compares the scenario to the early days of QR codes, when scanners had no built-in mechanisms to verify where that square of black squiggles would send you. “This is exactly the same thing,” he says. “This great idea for a novel form of input, your fingerprint, has been enabled in a wide range of programs. The fact that there’s no confirmation step involved in the way that this input is set up enables you to bypass user confirmation.”

It’s unclear how many people actually lost money to the scams, although a recent Reddit thread indicates that a least a few have. More troubling, though, is the grift’s reproducibility. The App Store’s initial vetting may be thorough, but bad actors still find ways around it, especially after they get that initial approval.

“Rogue apps are a problem for both iOS and Android, although they tend to be less prevalent for the former due to a more locked down ecosystem,” says Jérôme Segura, head of threat intelligence at cybersecurity firm Malwarebytes. “However, crooks will often come up with clever ideas to bypass initial screening mechanisms. Over time, they will push out updates to the app and adjust in-app purchases, where most of the problems and abuses lay.”

The good news is that anyone with an iPhone X or later won’t get caught up in the fraud, since those devices don’t have a home button to begin with. To use Apple Pay with Face ID, you need to double-click the side button on those devices.

That doesn’t help for older iPhones, though, of which there are plenty still in use. The best anyone with an iPhone 8 or earlier can do is stay vigilant, and only use Touch ID on apps they have reason to trust. Apple, too, could help reduce the likelihood of this type of scam with more stringent ongoing reviews of apps, or by introducing some sort of extra…

…[read more]

Visit Source link Wired

Wired Security

Ad

Vacations

Set in some of the world's most beautiful places. Book now or browse the entire collection of luxury vacation rentals!

Thailand. Bangrak. This impressive 5 Bedroom Seaview Villa With Private Pool. Covered, first floor veranda overlooking pool with outdoor dining and stunning panoramic views..

Thailand. Bophut. Spectacular 2 Bedroom Option Seaview Villa With Private Pool. In-villa Thai chef available. 5 Minute drive to Bophut Fishermans Village, bars, restaurants, souvenir shops..

Thailand. Plai Laem. Excellent 3 Bedroom Beachfront Villa With Private Pool. Bophut's colourful shop houses, bars, restaurants and the vibrant nightlife of Chaweng are just 15 minutes away..

Asia - Thailand - Koh Samui - Choeng Mon - Plai Laem - Bop Hut - Bangrak

Private villas you won't ever want to leave.

Home - United States - Asia - Europe
Thailand - Caribbean - Barbados - Jamaica
France - Paris

Stay at Thailands best villas

Leave a Reply