Submitted by CyberHub Summit on Fri, 12/14/2018 - 10:43
Getting scammed by getting in shape.
Getting scammed by getting in shape.

The next scandal with fitness apps has just hit the headlines. 

After the scandal concerning cyber vulnerabilities inherent in Strava, which inadvertently gave away the locations of our servicemen in locations across the Middle East through a heat map and the famous hack of 150 million Fitness Pal users – you may have thought it was all over.

Not so! Both “Fitness Balance App” and “Calories Tracker app,” rather than being the victims of cyber fraud, have been argued to be the new fitness app perpetrators, tricking users into $120 payments. These two Apps, available on iPhone have been utilizing the iOS Touch ID element to steal from unsuspecting fitness app victims. 

Both these applications, appeared perfectly standard, they calculated BMI, tracked your daily calorie intake and glasses of water. They also received positive reviews on the iOS store. However, the name -and-shame squad on Reddit threads and at ESET, the cyber security providers and think tanks, claimed that the apps were able to grab $120 off users through a Popup trick using the Apple TouchID.  

For those of you unfamiliar with a pop-up, pop-under or any other type of pop that isn’t related to bubble gum, Popups are adverts that appear on top of the screen you were originally viewing. Usually you have to search for the tiny ‘X’ to get rid of them, which is sometimes quite cleverly hidden. Annoying, intrusive but not illegal.

However, that’s only when they are advertising. When in the hands of cyber criminals, they can be utilized to force users to take an action, sometimes impossible to reverse. 

According to the victims of the Fitness Balance and Calories Tracker Apps, after these apps were downloaded, a fingerprint scan was requested, so that users could view their personalized diet and calorie plans. Once the user, pressed down a finger to be scanned, a pop-up appears to confirm a payment for $120. You obviously barely see it (as its under your finger) and its only visible for a nano-second. 

[ Stay one step ahead of the hacker with CyberHub Summit's Newsletter ]

Apples’ streamlined payment process, allows users to directly connect to their apple account and pay with one touch, if your credit or debit card has already been set into the system, very handy, unfortunately, in this instance, it just allowed the app to rob you with greater efficiency.  The devious popup, allowed the transaction to be considered verified and cash was immediately transferred to the scammers themselves.  

Requesting a refund, prompted the apps to give out a generic response that the upcoming version would resolve the issues. 

So, you may be thinking to yourselves, fine, but not everybody would agree to the fingerprint scan. Well, the thieves thought of that also. If users refuse to be identified by fingerprint, yet another popup appears, with a required ‘continue’ button which gives the app another change to try the same payment procedure again.  

For the shrewder amongst us, who may have checked the ratings, yet again you may have been foiled. The hack owners had been able to flood the Apple store with fake positive reviews. 

Whilst both apps have been removed, there is definitely scope for tricks of a similar ilk. The major issue within the App store is that Apple refuses to allow security products into the store, which forces users to rely on reviews, which may have been or to rely on Apples’ own security measures, which we can quite plainly see, are hardly fool-proof. 

Whilst these apps have been stopped in their tracks, bets are, we will see this fitness- fraud again, sometime soon.