Skip to main content
  1. Writing/

Beware Of Deceiving Authenticator Apps on Apple and Google Devices

·1846 words
mfa mobile applications security authentication privacy
Table of Contents

I am one of those people that viscerally hates online advertisement. In the year 2024, 99.999% of it in my humble opinion is extremely intrusive (both from a privacy and usability perspectives) and serves no positive customer goals. But don’t listen just to me for that - Cory Doctorow has an arsenal of data to back this opinion up that you can go through for your own horror and entertainment. Let alone the fact that there is so much malware that gets distributed through ad networks that this should be the sole reason to block ads everywhere you have an active internet connection.

What all of this means is that I will go out of my way to get ads blocked everywhere in my immediate proximity - uBlock Origin on Firefox is a must on all our family devices. Unfortunately, Chrome and Chromium-based browsers are on track to kneecap ad-blocking capabilities with Manifest V3, so Firefox remains the only viable option that can fully enable ad blocking with proper dynamic controls. Firefox Focus on mobile devices is a great way to browse the web in a bit more of a privacy-preserving way, since it blocks quite a few trackers. And of course, I’ve already talked on this blog how I think every household should try using a Pi-hole to block unwanted outbound traffic at the DNS level. But I digress.

One thing that the tools I mentioned above do not help with is advertisement embedded directly in experiences such as mobile app stores. If you have a mobile device manufactured any time after 2010, you likely have used one more than once to install whatever applications you need for your work and personal life. For Android it’s the Play Store, and for Apple - the App Store. Which leads me to the topic of this post and how the ads there are not as innocuous as you may think.

Thanksgiving is coming up in the US, when we’ll gather around the table with our relatives and often (if you are like me) we’ll do some IT support while there - clean the PCs from adware, set up our family with a password manager, and even try to get them to use two-factor authentication. Use the above as a starting guidance on how to make sure they do it right.

These are not the droids you’re looking for #

The other day I was walking one of my relatives through the process of enabling two-factor authentication for their accounts, and I wanted them to use an authenticator application instead of SMS (which you should never use unless there are no other options). My recommendation was to use Microsoft Authenticator.

The conversation went something like this:

Me: “Go to the Play Store and search for Authenticator.”

Them: “OK… Alright, I see a few, which should I pick?”

Me: “Use the Microsoft Authenticator one.”

Them: “Oh, but I see two. Which one should I use?”

Me: “The one from Microsoft - it should be the official one.”

Them: “There are two from Microsoft.”

At that point I told them to stop and send me a screenshot - “Do not install anything right now,” I rattled off. When the screenshot arrived, lo and behold, this is what I saw:

Google Play Store showing ads that trick people into installing the wrong authenticator apps.
Google Play Store showing ads that trick people into installing the wrong authenticator apps.

My first reaction was “Oh save me Jeebus, is this for real?” I consider myself to be technologically proficient, but even I was caught off-guard here.

With an untrained eye, could you easily figure out which is the real Microsoft Authenticator app? If your answer is “Well of course, the one that has Microsoft Authenticator in the name and is listed as developed by Microsoft Corporation, and you have to look at download numbers” - congratulations, you work in tech. No average person is going to easily draw that distinction, and the aforementioned relative almost installed the wrong application.

Now, I don’t want to draw any conclusions about what any of these apps do with your credentials. However, I am not exactly optimistic. Even without installing the application, red flags start flying when you open the description:

Why would an authenticator app need to contain ads?
Why would an authenticator app need to contain ads?

Contains ads” and “In-app purchases” are not exactly exonerating evidence in our quest to prove that this is not an effort by unscrupulous actors to deceive people and make a quick buck. Let’s take a look at the reviews.

The reviews are a mixed bag.
The reviews are a mixed bag.

Not exactly a stellar experience overall, it seems - quite a few 1-star reviews. But something suspicious stood out about the 5-star reviews too. Many were very generic, but many others would praise the app for “quick refunds.”

Five stars, and yet asking for a refund. Wouldn't trust this rating too much.
Five stars, and yet asking for a refund. Wouldn’t trust this rating too much.
More ratings about refunds and not the app.
More ratings about refunds and not the app.

So, this is clearly not normal - even the highest-rated reviews are talking about refunds as the motivation for their rating. What about the 1-star ones?

Glowing feedback, I know!
Glowing feedback, I know!
More pointers that the app is a scam.
More pointers that the app is a scam.

So, this is most definitely a scammy app that is preying on people not knowing the difference between the official and unofficial apps, and then charging those people absurd subscription fees.

As an added bonus, these apps have very “keyword stuffy” application IDs:

authenticator.app.otp.mfa.authentication
com.authenticator.twofactor.otp.passwordmanager.multifactor

Someone took a page from old-school SEO playbooks and tried to stuff as many search terms in the package name itself.

Nope, not at all suspicious package names.
Nope, not at all suspicious package names.

And frankly, this is not just a Google Play Store problem. Searching for “authenticator” on iOS presents this:

Searching for an authenticator app on iOS.
Searching for an authenticator app on iOS.

Wow, all of 11K reviews and a stellar 5-star rating. Predictably, this application does the exact same thing as the one I’ve documented above for Android - while it appears to be a different developer, it still cons people into a subscription that they then have to cancel by emailing some sketchy generic email address on a public email service.

Not only are these applications clearly deceiving customers, but also both Google and Apple profit from them - they are showing up in sponsored sections of the respective app stores, meaning that both companies are getting paid to place the ad there. Which, hey - a good reminder that just because an app went through the store review process doesn’t mean it’s safe.

I mean, look at the logos - they all were designed to mimic as closely as possible Microsoft Authenticator and Google Authenticator, just waiting to pounce on those that didn’t look close enough and installed the app. I can tell you right now that the relative I’ve been talking to would have installed the wrong app in seconds and wouldn’t even notice something was amiss until months later, if at all.

What’s the big deal #

One might think that a two-factor app is a two-factor app, who cares if it charges for things. First of all - that’s a scam because no legit authenticator app charges you for its features. None of the apps I looked at offer anything that you won’t get from reputable authenticator apps that would be worth losing money over. Not only that, but the fees are exorbitant, so this is a cash grab preying on individuals that don’t know better.

Second, and the biggest problem is that you don’t know what happens with your two-factor codes. While I don’t know that the two apps I looked at are malicious in any capacity beyond just trying to scam people out of subscription charges, anyone with access to your one-time codes can also access your account if they come across your password (which, nowadays, is easy to come by given all the leaks) or other identifying information that can help reset your account access.

Last and not least - you don’t know what happens to your data that is managed by these apps. You gave a blanket view into what accounts you are protecting. The developer behind these apps can find out what your email address is, what your bank is, where you’re buying online goods, and so much more. Especially seeing that the iOS app attempts to be a “catch-all” for all sorts of things, like “private browsing” or “WiFi scanning” (whatever that means).

What you should do #

Install only reputable authenticators #

I can personally recommend that you install one of the reputable authenticator applications - Microsoft Authenticator and Google Authenticator.

Typically, I would also look at Authy but I can’t in good faith recommend it because they were breached earlier this year where they exposed customers’ phone numbers through an unauthenticated API endpoint - a privacy gap that to me personally is unacceptable for an authenticator.

To make sure that your relatives, friends, and family download the legit applications, instead of relying on them searching for the app in whatever store they use, have them download the exact app they need to. Here are the links that you can use to point them to, extracted from the official sites (but don’t trust me - check them out yourself).

Microsoft Authenticator #

🤖 Android:

https://play.google.com/store/apps/details?id=com.azure.authenticator

🍎 iOS:

https://apps.apple.com/us/app/microsoft-authenticator/id983156458

Google Authenticator #

🤖 Android:

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

🍎 iOS:

https://apps.apple.com/app/google-authenticator/id388497605

Never pay for authenticator apps #

There truly is never a reason to pay for a common use-case authenticator application. If the application asks for payment, you installed a scam app. Make sure to set up your accounts with a reputable authenticator mentioned above (to make sure you’re not locked out), remove your accounts from whatever paid app you used, and delete it from your device.

What should Google and Apple do #

This entire shebang started from the fact that both Google and Apple fail to shield their customers from scammy applications.

A cursory review of iconography and application description should immediately throw red flags to anyone that is doing app reviews, which apparently lately are so anal that you can’t publish a camera app without explaining why you need to use a camera. If someone mentions “Microsoft Authenticator” as their application “header” and they are not, in fact, published by Microsoft, why is there no immediate rejection?

In Android’s case, it was hilarious to see that some other wannabe authenticator app almost entirely ripped off the official Google Authenticator icon (before it changed) and still made it through the review process.

Could you find ten differences?
Could you find ten differences?

Folks - you need to review this stuff better to protect your customers. I am not worried about the app jumping out of its sandbox and doing something to my or my family’s devices. That stuff has pretty locked already, and the “app nutrition facts” are a great signal on whether something might be off permission-wise. I am, however, worried, about apps like these being both a money drainer and a vector for other identity attacks that stem from having direct access to some of the most coveted artifacts that malicious actors can’t wait to get their hands on.