Don't download this Microsoft Authenticator extension for Chrome: it is fake
Software and extension stores that rely on automatic store submission reviews are more prone to fake and malicious extensions being offered. The latest addition to the growing number of Chrome Store extensions that fall into the category is called Microsoft Authenticator.
The name suggests that it is an official product by Microsoft, but it is not. One hint that something is off is that the company that is offering the extension is not Microsoft Corporation but "Extensions".
The app has 448 users and a three out of five stars rating at the store at the moment. It has been in the store since April 23, 2021.
If you have read our guide on verifying Chrome extensions before installation, you know that direct information such as the developer may provide hints that something may be fishy. The developer email address looks like one of those fake email addresses used for poising or spam sending; it uses a Gmail address, and not an official Microsoft address.
A look at the reviews includes several warnings from other users, but also some that praise it. The latter are likely fake and used to instill a level of trust in users who check the reviews before trying the extension.
A quick check of Microsoft's Authenticator homepage reveals that it is available as a mobile application, and as a Microsoft Store version, but not as a browser extension.
The Microsoft Authenticator application cannot be used to authenticate Microsoft account sign-ins or any other sign-in for the matter. It displays a basic page with the option to "run Microsoft Authenticator". A click on the button opens a Polish webpage that redirects to another webpage automatically asking for a sign-in or the creation of an account.
Closing Words
In this case, it is pretty obvious that the extension is not legitimate but fake. Still, more than 400 users have installed the extension already and it is possible that the count will increase in the coming days or weeks. Much of it depends on Google and whether the company will do something about it.
Now You: do you vet extensions before you install them?
I’m kind of surprised that Google doesn’t have software that automatically flags any extension submissions with the words “Microsoft”, “Apple”, and other well-known brand names of companies that publish widely used apps (big banks, video game companies, streaming services, content blockers, etc.) that aren’t put up by a known legitimate account for one of said companies for manual review by a human being.
This scammer could have gotten around that hypothetical system by simply calling it an “Authenticator” and listing the names of credentials it “supports” in it’s description, but I’ll bet it’d have fewer downloads had the scammer been forced to do so. People at least would have been aware it was a third-party extension and it wouldn’t have come up as highly in searches for “Microsoft”.
You can’t catch everything in advance if you want to be, or have to be due to volume, “allow by default” in general, *but* something automated that looks for names that probably shouldn’t be there would probably cut down on it. I think they already do some basic automated searches for a few known malware types, don’t they? So, the technology seems like it’s available and being used, just not being applied in this particular way.
That may seem like something that could be portrayed as potentially being anti-competitive if they instituted it badly, but it wouldn’t be if they executed it correctly. The key would be to automatically allow submissions and updates from verified accounts for all the brands (Well, don’t subject them to any more delays than anyone else would have, including your own legitimate Google branded extensions), and in instances where something is flagged for using one of those names from an unknown account and held up, have the human review of it happen very quickly so no one can accuse Google of holding up legit extensions for undue amounts of time to benefit their own alternative apps. The companies being ripped off might actually be *for* Google doing something like that, because companies that release “Microsoft [whatever]” are violating Microsoft’s legal copyright to it’s name in some countries (Similarly, Google might want to do the same thing with apps that people try to publish using its own name in the extension name, if they don’t do so already.).
There could also be a system for mid-sized or large publishers they miss for automatic inclusion in this potential system to get verified in a way that is hard to fake, but not too much of a strain for a decent sized business to do in a few days, if a business wants this adding protection of it’s copyright. I suppose there could also be a way for included companies to opt-out if they object to being included.
I’m not dissing Google in particular here for not having these type of safeguards- other extension and app stores have similar problems at times. They could really all be doing better than they do. However, that others could also do better is not really an excuse for any individual company to not do better on it’s own. They have an obligation to their users to do the best they can, within reason, without regard to what anyone else is doing or not doing.
What was the Polish website that users were being directed to, please?
Do not download any Authenticator extension or otherwise unless you know it comes from a reputable company, like BitWarden that has built in TOTP. Remember that all TOTP is is another password in essence. It’s just a string of characters.
This is what can happen when “stores” distribute completely unverified and untested software and also when they do not take sufficient steps to remove obviously fake reviews. I find Google has a horrible history (and present) with all these signficant problems.
All of the things Martin mentioned that look suspicious can be forged with almost no effort to look completely legitimate.
I think it is reasonable to assume that there is much malware lurking in all of Google’s stores, but most of it won’t be this obvious.
It has been removed.
“Offered by Extensions” is a dead giveaway. Whoever installs that deserves to be phished.
We were all naïve when we started using computers and internet. If you start with the thought, ‘no criminal deserves to make a profit’, if follows that nobody deserves to be phished.
If you mean Windows Mobile, then yes a store version is “available”.