(Credit: Macrovector/Shutterstock)

While Apple and Google have taken a few hits recently over malicious apps sneaking into their app stores, there's usually a technical angle to how bad actors use this software to get things that they shouldn't. On Android, it frequently comes in the form of an app asking for permissions that it should have no interest in, like a calculator wanting access to your phone's contact list or physical location.

With iOS, Apple tends to avoid letting an app have access into the inner layers of the operating system, but there are more ways than programming code hacks to fraudulently separate a user from their money.

SEE: Apple wipes more than 700 apps from Chinese App Store for security violations

9to5Mac reports on an app called Heart Rate Measurement (which has been removed), which promises to examine your pulse when you tap an iPhone's home button with your finger. This would also be intended to authorize an expensive in-app purchase via Touch ID.

The problem is that Apple's home button does not have any kind of pulse sensor. An Apple Watch has a special sensor for this, but the home button on the company's other mobile devices only registers taps and Touch ID fingerprints. You tap it to go to your main screen or confirm a purchase, double-tap to open the task switcher, long-press to open Siri, and that's pretty much it. Sometimes you can use Touch ID to lock an app as well.

But since the "average" user may not be aware of Touch ID's exact capabilities, they could be tricked into thinking that it can do more than what they've heard about, and that's where this scam comes in. When you place your finger on the home button with the idea that this sham app will check your pulse, what it's really doing is tricking you into making a $90 in-app purchase. It's snake oil for the twenty-first century.

FOLLOW Download.com on Twitter for all the latest app news.

Of course, Apple now uses Face ID for its newer iPhones and the latest iPad Pro, but users of MacBooks and older iPhones and iPads are still susceptible to Touch ID shenanigans -- and Face ID is arguably even more suited to this modern con. Because after all, the latter tech can see your whole face, instead of just one fingerprint. There's a much larger amount and variety of data that a fly-by-night app developer can claim to extract from Face ID.

Given that a legion of holiday shoppers are looking for new gadgets to get their parents and grandparents right now, they may want to consider adding a list of phone security tips as a stocking stuffer for less technical gift recipients, and some general advice about protecting your online privacy. Because the best way to fight scams like this is by educating the user.

Correction: In the original version of this article, Instant Heart Rate: HR Monitor was incorrectly identified as the app in question. The malicious app was named "Heart Rate Measurement."

Takeaways

  • An iOS app promising to check your pulse by using the device's home button instead used Touch ID to trick you into making an expensive purchase. The app has been removed from the App Store.
  • It's a trick because Apple's home button can't actually detect a pulse.

Also see



Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.