Shady developers have found a new way to trick users into spending ridiculous sums of money on worthless services.
The scheme, which was discovered by Redditors and reported by the welivesecurity blog, uses TouchID to trick users into in-app purchases, which can be as high as $99.99.
The blog uncovered two such examples, both from purported fitness apps. In both cases, the apps instruct users to hold their finger over their iPhone’s home button in order to “scan” their fingerprint for health data. While the “scan” is happening, though, the app triggers an in-app purchase, which is then authenticated via TouchID and completed before the user even realizes what is happening.
Welivesecurity blog uncovered two examples of this tactic, one called “Calories Tracker app” and one called “Fitness Balance.” Both apps have since been removed by from the App Store by Apple, but you can see it in action in the video below. Apple didn’t immediately respond to a request for comment.
Shady though they are, it appears that these developers’ tactics were extraordinarily successful. “Calories Tracker app,” pulled in $60,000 in November while “Fitness Balance” made $10,000, according to data from app analytics firm Sensor Tower.
The incident also raises the questions about Apple’s ability to detect scams in the first place.
Though Apple’s App Store has a reputation for being safer than other app stores, this isn’t the first time shady developers have been allowed to get their apps into the store. Last year, a number of barely-functional apps were removed for tricking users into paying for exorbitantly-priced subscriptions.
One such app, which also took advantage of the App Store’s search ads, was charging $99.99 weekly for a worthless VPN service. The app was pulling in $80,000 a month before it was eventually removed.