They lured users into installing them, and then, right after starting the app for the first time, asked users to press their finger to the TouchID sensor to set up and access their content.
Unbeknownst to users, the two apps were actually initiating payments in the background and using the TouchID scans as approvals for fees of $99.99, $119.99, or €139.99.
If users had a payment card registered in their respective App Store account, the transaction would be accepted and processed immediately.
The apps weren’t perfectly designed because a popup revealing the transaction’s payment details would quickly flash on the user’s screen before being automatically dismissed.
Users who kept their gaze on their device’s screen were able to spot the dodgy transactions, according to a Reddit thread were users first reported the scam last week.
If suspicious users refused to scan their fingers, the two apps would refuse to start altogether, and show the same finger-scanning screen in a loop until the user either gave in or uninstalled the app.
Both apps appear to have been designed by the same developer, based on their similar behavior, according to Lukas Stefanko, a mobile security researcher for ESET, who analyzed the two apps earlier today.
The researcher also pointed out that despite the apps’ dishonest behavior, both had high user ratings and received favorable reviews.
“Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps,” Stefanko said.