![](\"https:\/\/media.wired.com\/photos\/5c058906d537792d054b53fb\/master\/pass\/Fingerprint-171151164.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Brian Barrett| Date: Mon, 03 Dec 2018 20:50:34 +0000<\/strong><\/p>\n One of the <\/span>joys of Touch ID<\/a> is how seamlessly it works. It rarely takes more than an instant to unlock your iPhone<\/a> or approve a purchase. But recently a handful of scam apps have turned that ease of use against anyone unlucky enough to download them.<\/p>\n In separately reported incidents<\/a>, apps posing as health assistants invite users to use Touch ID before they show a calorie tracker, or take a heart rate measurement, or some other seemingly legitimate function. Once you scan your fingerprint, though, the apps briefly show an in-app purchase popup instead, charging anywhere from $90 to $120, and simultaneously dim the screen to make it hard to see the prompt. In some cases, even if you decline to use Touch ID to enable a feature, the app asks you to tap to continue\u2014and try the in-app payment scam instead.<\/p>\n Charging exorbitant, unscrupulous fees within apps violates Apple\u2019s App Store guidelines; the apps in question, innocuously named \u201cHeart Rate Monitor,\u201d \u201cFitness Balance app,\u201d and \u201cCalories Tracker app,\u201d have all been pulled. It\u2019s unclear if they came from separate developers, or one person operating multiple developer accounts. Either way, to pull off the scam they all rely not on malware but on duplicity\u2014and an insight into how we use Touch ID.<\/p>\n \u201cAs soon as you put your finger on there, it starts scanning, so it\u2019s ready and acting very quickly,\u201d says Stephen Cobb, senior security researcher at cybersecurity firm ESET, which wrote about<\/a> two of the bogus apps Monday. \u201cSomeone cleverly figured out they could use the way that\u2019s implemented to get people to do things that they don\u2019t want to do.\u201d<\/p>\n Touch ID has long been used for more than just unlocking your iPhone, after all. You use it for Apple Pay<\/a> and for authentication on various apps. It\u2019s fast, it\u2019s easy, and it works, which means you\u2019re less likely to give much thought to using it when an app asks you to. And when you do put your finger on the home button, there\u2019s no extra prompt to confirm that you actually meant to.<\/p>\n "Crooks will often come up with clever ideas to bypass initial screening mechanisms."<\/p>\n J\u00e9r\u00f4me Segura, Malwarebytes<\/p>\n Cobb compares the scenario to the early days of QR codes<\/a>, when scanners had no built-in mechanisms to verify where that square of black squiggles would send you. \u201cThis is exactly the same thing,\u201d he says. \u201cThis great idea for a novel form of input, your fingerprint, has been enabled in a wide range of programs. The fact that there\u2019s no confirmation step involved in the way that this input is set up enables you to bypass user confirmation.\u201d<\/p>\n It\u2019s unclear how many people actually lost money to the scams, although a recent Reddit thread<\/a> indicates that a least a few have. More troubling, though, is the grift\u2019s reproducibility. The App Store\u2019s initial vetting may be thorough, but bad actors still find ways around it, especially after they get that initial approval.<\/p>\n \u201cRogue apps are a problem for both iOS and Android, although they tend to be less prevalent for the former due to a more locked down ecosystem,\u201d says J\u00e9r\u00f4me Segura, head of threat intelligence at cybersecurity firm Malwarebytes. \u201cHowever, crooks will often come up with clever ideas to bypass initial screening mechanisms. Over time, they will push out updates to the app and adjust in-app purchases, where most of the problems and abuses lay.\u201d<\/p>\n