Authenticator App Reportedly Uses App Store Advertising to Scam Users, Collects Secret QR Codes

Authenticator apps like Authy and Google Authenticator help users add a second layer of security to their account, preventing malicious actors from accessing their personal information and data. Last week, Twitter announced that it would soon discontinue access to SMS-based two-factor authentication (2FA) for users who have not subscribed to the company's Twitter Blue service. Developers have now begun to flood the app store with authenticator apps that ask users to pay a subscription fee before they can add any accounts. 

Security company Mysk claims (via 9to5Mac) that there are several similar-looking authenticator apps that have recently been published to the App Store. Unlike Authy and Google Authenticator that allow users to scan QR codes to set up 2FA on their accounts, these applications first require users to sign up for a free trial that converts into a subscription priced as high as $40 (roughly Rs. 3,300) per year. Gadgets 360 was able to confirm that some of these apps with annual subscriptions are currently available on the App Store. 

In a separate tweet, the company also warns that at least one of these authenticator apps is running an advertising campaign on the App Store, and a screenshot reveals that it is the first app to show up  when searching for “authenticator”. According to Mysk, this app sends the contents of the scanned QR code to the developer's Google Analytics service. This could result in the leaking of users' 2FA codes to the developer of the application. 

A screen recording shared by Mysk shows several similarly designed applications with very similar interfaces and prompts to subscribe to a $40/year annual plan. Developer Kevin Archer claims that these apps are being released with different metadata sets on new accounts, and seem to have skirted the guidelines enforced by the App Review team, including guideline 5.6.3 (Discovery Fraud), which does not permit manipulating App Store charts, search, reviews, or app referrals.

According to a screenshot posted by the company, many of the apps were released last week, which is around the same time that Twitter, which was recently taken over by Elon Musk, announced that it was dropping support for SMS-based 2FA for users who are not subscribed to its Twitter Blue service. Users who had set up their accounts to receive SMS login codes have until March to turn it off and set up third-party 2FA applications or hardware security keys to securely log in to their accounts. 

The existence of these apps on the App Store means that users who are looking to download 2FA apps on the App Store might end up downloading one of these applications, putting their security at risk. Apps like Google Authenticator, Authy, Aegis Authenticator (Android), and Microsoft Authenticator are secure and reliable options from reputable companies that can be used to store 2FA authentication tokens instead.