Apple has removed two malicious iOS apps that tricked users into approving TouchID payments via misleading popups.
They lured users into installing them, and then, right after starting the app for the first time, asked users to press their finger to the TouchID sensor to set up and access their content.
Unbeknownst to users, the two apps were actually initiating payments in the background and using the TouchID scans as approvals for fees of $99.99, $119.99, or €139.99.
If users had a payment card registered in their respective App Store account, the transaction would be accepted and processed immediately.
The apps weren't perfectly designed because a popup revealing the transaction's payment details would quickly flash on the user's screen before being automatically dismissed.
Users who kept their gaze on their device's screen were able to spot the dodgy transactions, according to a Reddit thread were users first reported the scam last week.
If suspicious users refused to scan their fingers, the two apps would refuse to start altogether, and show the same finger-scanning screen in a loop until the user either gave in or uninstalled the app.
Both apps appear to have been designed by the same developer, based on their similar behavior, according to Lukas Stefanko, a mobile security researcher for ESET, who analyzed the two apps earlier today.
The researcher also pointed out that despite the apps' dishonest behavior, both had high user ratings and received favorable reviews.
"Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps," Stefanko said.
iOS users who fell victim to this scam are advised to contact the Apple App Store staff for a refund. Apple's App Store refund procedures are available on this support page.
More security coverage:
- US iOS users targeted by massive malvertising campaign
- Android adware has plagued the Google Play Store in the past two months
- How to manage subscriptions purchased in iOS apps TechRepublic
- Twitter user hacks 50,000 printers to tell people to subscribe to PewDiePie
- ACLU wants court to release documents on the US' attempt at backdooring Facebook Messenger
- For Apple users without latest security updates, the letter 'd' is not always the letter 'd'
- Apple's privacy portal now lets US customers download their data CNET
- US Senate computers will use disk encryption