Update four months later: A fake Microsoft Authenticator app somehow survived the cull, but was finally removed in June …
Update: Apple has now removed most scam authenticator apps from the App Store – see end of piece.
Twitter’s latest bonehead move has led to a flurry of scam authenticator apps, with at least one of them using App Store advertising to figure prominently in search results – and then sending all scanned QR codes to the developer’s analytics service.
There’s a whole array of others that appear to be free but then require in-app purchases in order to scan QR codes …
Twitter spurring interest in authenticators
Twitter last week came up with the bright idea of selling account safety as a chargeable service, by putting SMS-based two-factor authentication (2FA) behind the Twitter Blue paywall.
Starting March 20, Twitter will begin to require Twitter Blue for the use of two-factor authentication over SMS. The change, officially announced today, is certainly a major step. Twitter says that it will simply turn off two-factor authentication for anyone who is still using SMS keys and is not paying for Blue as of the March 20 cutoff.
No prizes for guessing whose idea that was.
Admittedly, SMS 2FA is horrible, leaving all your secured accounts vulnerable to SIM-swap attacks. If Twitter were simply dropping support for this, and asking everyone to use an authenticator app, that would be one thing. Instead, Twitter is giving the impression that SMS is a premium option by charging for it.
Scam authenticator apps
This has created the perfect opportunity for scam authenticator apps to separate non-techies from their money – or even from their accounts.
Developer and security researcher Mysk quickly spotted a whole bunch of suspiciously-similar apps, all of which demand an in-app subscription purchase in order to scan QR codes.
The timeless art of authenticators! All these authenticator apps are free and offer in-app purchases. You install them to discover that you can’t scan any QR code until you subscribe, $40/year with 3 days free trial. The apps are very similar.
He was quickly able to find a dozen of them (image above), and questioned why they weren’t spotted in app review.
The App Store should do something about these apps. There seems to be some white-label app that scammers purchase, rebrand, and deploy to the @AppStore. Any average user can spot the striking similarities between them. How come the App Review team did not spot that?
At least one of these tries to force you to subscribe even if you tap the close box.
Top comment by warren merrill
How is it that an actual person inspects these apps but not seeing they are scams? Seriously, the AppStore approval process is not impressing me as regards security and personal privacy.
One scam app even captures your QR codes. You don’t have to look very hard for it: The developer took out an App Store ad, which means it is prominently shown when you search for authenticator apps.
You need to be careful when you search for an authenticator app. This app sends the scanned QR codes to the developer’s #Google analytics service. You won’t miss it. It’s running an ad campaign on the #AppStore
Safe authenticator apps
On iOS, you can now use the built-in support for 2FA. Alternatively, Google Authenticator is the default choice, and Mysk says he hasn’t found any reason not to use it.
We recently detailed how to use it for Twitter.
Apple has now removed the scam apps
Mysk reports that Apple has now removed the apps the company reported.
FTC: We use income earning auto affiliate links. More.
Comments