The app strategically places in-app purchase confirmations and pop-ups, leading to ‘accidental’ payment confirmations when users’ fingers are still at the fingerprint scanner (home button).
Crypto scams have been evolving into full applications lately. As cryptocurrencies continue to thrive, scammers have become more than willing to go through greater lengths to get their hands on some. Towards the end of July, a game called Abstractism was delisted and its developer banned from gaming platform Steam, after it was found that the game cryptojacked players’ computers. Based on the way the game worked, it looked like this was their primary motive for building the entire game in the first place. After all, gamers have good hardware for crytpo mining.
And now, another seemingly malicious developer is allegedly cashing in on the cryptocurrency hype, although through a different modus. The suspiciously named “BINANCE” widget doesn’t seem to be connected with the legitimate cryptocurrency exchange.
Despite its decent 4.1 rating on the App Store, the BINANCE Crypto widget has gathered some disturbing reviews. According to users, the app exploits Apple’s UI by launching pop-ups timing in-app purchase confirmations during times when the user’s finger is expected to still be at the home button. For Apple phones, this functions as a fingerprint scanner that also serves as a confirmation, or a “signature” for purchases. Users allege that the app intentionally designed these “random” pop-ups for purchases to deceive users into accidentally approving charges to their card. Users also say that there were no confirmation messages to verify that the charge was authorized.
Charges range from $34 to around $200, as far as the visibly angry reviews claim.
“As soon as you open the app it prompts for an in app purchase, and if you have your finger on the fingerprint scanner, it will go through. I didnt get tricked by it but i easily could see it happening and this is a glaring exploit in the in-app purchase system,” u/winlifeat wrote in a Reddit thread.
“Just because I’m bored and have resources available to me, if anyone manages to find a way to contact the developer, or finds his country of origin, i would love to inform him of the evidence i have collected and my plan to go to his local authorities. He faked a bunch of good reviews because all you can see is 1 star ones when you look.”
The user proceeds with a threat of legal action, adding that he/she has the capability to aid in an arrest, seemingly citing the recent apprehension of Joel Ortiz, a primary suspect in the $5 million sim swapping scam that targeted cryptocurrency holders.
“i find joy in bringing scammers work up to their face and watching them squirm as they realize they’re not so anonymous after all. in most countries this legitimately would be an illegal theft by deception and i am going to try to attain prosecution against him or her.
i recently helped provide info to get a bitcoin bandit using sim swapping arrested, you may have heard of joell [sic] recently.”
While the charges to the users’ credit cards can easily be reversed, Apple should have a good look at this possible UI flaw. They might also want to hike up their screening processes, since scam applications will probably be on the rise in the very near-future.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.