Multiple apps posing as fitness-tracking tools were caught misusing Apple’s Touch ID feature to steal money from iOS users, according to security company ESET.

The payment mechanism used by the apps is swift and unexpected, activated while victims are scanning their fingerprint seemingly for fitness-tracking purposes, says ESET Southern Africa.

There are many apps that promise to assist users on the way to a healthier lifestyle. The apps until recently available in the Apple App Store under the names “Fitness Balance app” and “Calories Tracker app” might have seemed to do just that – they could calculate the BMI, track the daily calorie intake, or remind users to drink more water. However, these services came with an unexpectedly hefty price tag, according to Reddit users.

After a user fires up any of the abovementioned apps for the first time, the apps request a fingerprint scan to “view their personalized calorie tracker and diet recommendations”. Just moments after the user complies with the request and places his/her finger on the fingerprint scanner, the apps display a popup showing a dodgy payment amounting to $99.99, $119.99 or EUR 139.99.

This popup is only visible for about a second, however, if the user has a credit or debit card directly connected to his/her Apple account, the transaction is considered verified and money is wired to the operator behind these scams.

Based on the user interface and functionality, both apps are most likely created by the same developer. Users have also posted videos of “Fitness Balance app” and “Calories Tracker app” on Reddit.

If users refuse to scan their finger in “Fitness Balance app”, another popup is displayed, prompting them to tap a “Continue” button to be able to use the app. If they comply, the app tries the repeat the payment procedure again.

Despite its malicious nature, the “Fitness Balance app” received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews. Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps.

Victims already reported both of these apps to Apple, which led to their removal from the market. Users even tried to directly contact the developer of “Fitness Balance app”, but only received a generic response promising to fix the reported “issues” in the upcoming version 1.1.

What can users do to avoid similar threats?

As Apple doesn’t allow security products in its App Store, users need to rely on the security measures implemented by Apple.

On top of that, ESET advises users to always read reviews by other users. As positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.

iPhone X users can also activate an additional feature called “Double Click to Pay”, which requires them to double-click the side button to verify a payment.