Security researchers are sounding the alarm over a wave of questionable authenticator apps flooding the Apple App Store and Google Play after Twitter’s recent shift from SMS-based 2FA.
Two iOS developers and self-proclaimed “occasional security researchers” have found that Apple and Google’s app stores harbor a wide range of questionable authenticator apps, likely capitalizing on Twitter forcing users to abandon SMS-based multi-factor authentication.
While some of the scam apps reported by @Mysk have since been removed, others are still in place.
One such app sends the scanned QR codes to the developer's Google analytics service – thus making public a secret seed that should be kept private at all times.
Notably, its developer has bought ad space so the app gains maximum visibility, appearing at the very top when users search for “authenticator,” “authenticator app,” or “2FA.”
Bitdefender can independently confirm that the app features an aggressive, €40 paywall for features that normally come free with legitimate authenticator apps and services.
The two researchers saw many scam apps looking almost the same, all of which trick users to take out a yearly subscription for €40. At least four of the apps analyzed by the duo allegedly had near-identical binaries.
Bitdefender strongly recommends using only official authenticator apps and services from reputable vendors like Apple, Google and Microsoft.
If an application looks or feels shady, don’t give it any permissions on your device, and uninstall it. Only use trusted apps and services, especially for security and privacy purposes.