Authenticator App Reportedly Uses App Store Advertising to Scam Users, Collects Secret QR Codes

Some copycat two-factor authenticator apps have annual subscriptions priced at up to $40 (roughly Rs. 3,300).

Written by David Delima, Edited by Siddharth Suvarna | Updated: 22 February 2023 14:33 IST

Authenticator App Reportedly Uses App Store Advertising to Scam Users, Collects Secret QR Codes

Photo Credit: Unsplash/ Gilles Lambert

Two-factor authenticator apps can help users add a second layer of security to their accounts

Highlights

Copycat two-factor authenticator apps have been spotted on the App Store
These apps can charge up to $40 (roughly Rs. 3,300) in annual fees
Users can opt for well-known apps from Google, Twilio for 2FA security

Authenticator apps like Authy and Google Authenticator help users add a second layer of security to their account, preventing malicious actors from accessing their personal information and data. Last week, Twitter announced that it would soon discontinue access to SMS-based two-factor authentication (2FA) for users who have not subscribed to the company's Twitter Blue service. Developers have now begun to flood the app store with authenticator apps that ask users to pay a subscription fee before they can add any accounts.

Security company Mysk claims (via 9to5Mac) that there are several similar-looking authenticator apps that have recently been published to the App Store. Unlike Authy and Google Authenticator that allow users to scan QR codes to set up 2FA on their accounts, these applications first require users to sign up for a free trial that converts into a subscription priced as high as $40 (roughly Rs. 3,300) per year. Gadgets 360 was able to confirm that some of these apps with annual subscriptions are currently available on the App Store.

The timeless art of authenticators!
All these authenticator apps are free and offer in-app purchases. You install them to discover that you can't scan any QR code until you subscribe, $40/year with 3 days free trial. The apps are very similar. 🧐#iOS #AppStore #2FA pic.twitter.com/OIW3XQZIwN
— Mysk 🇨🇦🇩🇪 (@mysk_co) February 19, 2023

In a separate tweet, the company also warns that at least one of these authenticator apps is running an advertising campaign on the App Store, and a screenshot reveals that it is the first app to show up when searching for "authenticator". According to Mysk, this app sends the contents of the scanned QR code to the developer's Google Analytics service. This could result in the leaking of users' 2FA codes to the developer of the application.

A screen recording shared by Mysk shows several similarly designed applications with very similar interfaces and prompts to subscribe to a $40/year annual plan. Developer Kevin Archer claims that these apps are being released with different metadata sets on new accounts, and seem to have skirted the guidelines enforced by the App Review team, including guideline 5.6.3 (Discovery Fraud), which does not permit manipulating App Store charts, search, reviews, or app referrals.

Samsung Wins Patent for a Tri-Fold Smartphone With Specialised Barrier Layer for Improved Durability

You need to be careful when you search for an authenticator app. This app sends the scanned QR codes to the developer's #Google analytics service. You won't miss it. It's running an ad campaign on the #AppStore #Privacy #CyberSecurity #2FA pic.twitter.com/huvAtilUnV
— Mysk 🇨🇦🇩🇪 (@mysk_co) February 19, 2023

According to a screenshot posted by the company, many of the apps were released last week, which is around the same time that Twitter, which was recently taken over by Elon Musk, announced that it was dropping support for SMS-based 2FA for users who are not subscribed to its Twitter Blue service. Users who had set up their accounts to receive SMS login codes have until March to turn it off and set up third-party 2FA applications or hardware security keys to securely log in to their accounts.

The existence of these apps on the App Store means that users who are looking to download 2FA apps on the App Store might end up downloading one of these applications, putting their security at risk. Apps like Google Authenticator, Authy, Aegis Authenticator (Android), and Microsoft Authenticator are secure and reliable options from reputable companies that can be used to store 2FA authentication tokens instead.

5G is now available both on Android and iPhone in India. But is it any good? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Two Factor Authentication, 2FA, Security

David Delima

Email David Delima

As a writer on technology with Gadgets 360, David Delima is interested in open-source technology, cybersecurity, consumer privacy, and loves to read and write about how the Internet works. David can be contacted via email at DavidD@ndtv.com, on Twitter at @DxDavey, and Mastodon at mstdn.social/@delima. More