After analysing several authenticator apps, two iOS security researchers called Mysk revealed that both the Apple and Android app stores had multiple fake authentication apps that scammed users with low security for subscriptions as high as $40 per year. Four such apps had nearly identical binary files. One even sent the generated MFA code to the developer’s Google Analytics account, and several others sent any login QR codes back to remote servers.
One app included in the research, simply called “Authenticator App: 2FA & MFA” which was available both on Android and iOS was sending scanned QR codes back to a remote server. This app has been downloaded over 500,000 times on Android, and while Apple’s App Store doesn’t give out a download count, it does show the app with a five-star rating and 121 ratings.
As you can likely guess, this is concerning for several reasons. Firstly, these fake apps often have a number of different subscriptions, including weekly, monthly and annual subscriptions to con unsuspecting users for money. Additionally, since they leak your password generation seed, it allows a threat actor to generate a code from the same seed and authenticate the app, bypassing MFA without much trouble.
A properly made authentication app would never show a user the seed after it has been entered or scanned, won’t share it or release it to other apps, won’t write it in log files, add it to backups or release it in a debug output, let alone transmit it to a remote server over what is most likely an unsecured network.
The good news is that Apple seems to be listening to this feedback and has removed several fake authenticator apps from its store. That said, as a user, you should always use authenticator apps from reputable sources. Apple has a built-in 2FA code generator in iOS settings, and Google has its own authenticator app available for download on both the Android and iOS app stores.