Attackers are using fake authenticator apps on App Store to scam users
Last week, Twitter decided to remove SMS 2FA for its free users. That isn't actually a terrible idea, but for the fact it decided to make SMS 2FA a premium feature for Twitter Blue subscribers.
What's worse about this is that the social network failed to recommend a proper 2FA app to its users, instead it just told them to use any authenticator app they wanted to. This was a problem in itself, because not everyone is tech-savvy, some users may not even know what 2FA is, let alone which app to use for securing their account. This is where things became dark, 9to5Mac reports that scammers decided to cash in on users trying to find 2FA apps, and started advertising some fake apps on the iOS App Store.
Image courtesy: Mysk
Fake authenticator apps on the App Store are stealing QR codes from users
The scam authenticator apps were spotted by Mysk, a security researcher/developer team of 2. They pointed out that scammers were likely using a white-label app that they buy, rebrand, and publish on the App Store. These fake authenticator apps are free to download, probably to trick the unaware user to download it on their iPhone.
But there's a catch, these apps have in-app purchases, and once you install one of these apps and run them, they prompt you to buy a subscription for a fee of $40/year, and even offer a free 3-day trial. At least one of the apps do not let the user scan QR codes without paying the fee, then they steal the QR codes and send the data to the developer. You can view a video demo of these fake apps here, notice how they have similar icons and UIs? These scammy practices are explicitly forbidden by the App Store's rules. So, how these apps passed Apple's reviews remains a mystery.
Another security researcher shared some insight on this, they said that the scammers were exploiting the App Store's search algorithm by releasing the same app under different accounts with different metadata sets. One of these fake authenticator apps is reportedly ranking at number 5 in the search results for "Authenticator" in the US App Store. That could be because the scammers are running ad campaigns on the App Store to promote their apps. These apps still exist, I was able to find 2 of them while writing this article.
Scam apps on the App Store aren't exactly a new threat, despite Apple's claim that it is safer than Android's Play Store, there are several fake ChatGPTs on the App Store too. You shouldn't use them. It is common knowledge that SMS two-factor authentication (2FA) is highly insecure, anyone with access to your phone or SIM card (SIM Swap attack), can get your verification code quite easily. You must instead use a proper 2FA app with Time-based One-Time Passwords (TOTP). If you don't know how to set up 2FA for your Twitter account, you should read Martin's article to learn how to protect your social ID.
Surprisingly, Mysk said that Authy and Microsoft Authenticators phone home with some usage data, apparently the apps sends information about every QR code that is scanned, to add a 2FA token. Google Authenticator on the other hand was recommended as a safer option. I recommend using Aegis for Android and Raivo OTP for iOS, both of which are free, open source apps.
On a sidenote, there is a new malware called Stealc that's stealing user data from PCs.Advertisement