Mysk🇨🇦🇩🇪Jun 19, 2023

The rogue 2FA app that steals scanned secrets is now ranked 18 on the German App Store for the productivity category. No wonder! The app disguises as a Microsoft app. It is the top hit when you search for "Microsoft Authenticator" and the developer has updated the screenshots in the ad card to highlight the word "Microsoft". Surprisingly, the product page of the app shows different screenshots with the word "Microsoft" removed.
The app now has 1.2K reviews, as opposed to 18 when we first addressed the app.

🙏 Boosting this post will help spread the word. Thank you!

#privacy #security #2FactorAuthentication #iOS #infosec

Show threadMysk🇨🇦🇩🇪

We demonstrated how this app steals secrets on Naomi Brockwell's channel, make sure you watch the episode ✌️:

https://youtu.be/cP1LVbLAcSU

The DARK SIDE of 2FA Apps!

YouTube
Jun 19, 2023 at 9:46pmWeb
Show threadMysk🇨🇦🇩🇪Jun 20, 2023

A video showing how the app abuses search keywords to trick users:

https://defcon.social/@mysk/110576091858818294

Mysk🇨🇦🇩🇪 (@[email protected])

Attached: 2 images 🎬 So this scam #2FA app is using custom product pages of Apple Search Ads to trick users. It has different campaigns per search keywords. When searching for "Microsoft Authenticator", it shows screenshots highlighting "Microsoft". and when searching for "Google Authenticator", it highlights "Google". Watch the video 🤯 It's worth noting that custom product pages need to be approved by App Store Connect and Apple Search Ads. This app steals 2FA secrets and its model is very suspicious as noted below. Friendly reminder: Mastodon uses no algorithms for discovering posts. The only way to spread the word is by boosting posts. If you think this post is helpful, boost it to reach others. Thank you 🙏 #Privacy #Apple #iOS #cybersecuritytips #infosec #cybersecurity #security #2FactorAuthentication

DEF CON Social
Show threadElaine (they/she) 💜🏳️‍⚧️🏳️‍🌈Jun 20, 2023
@mysk
I'll try to watch later. Are they actually stealing secrets or just syncing them to the cloud? I could see this because a paid 2FA scam.
Show threadMysk🇨🇦🇩🇪Jun 20, 2023
@elaine The secrets are collected as part of the app analytics and sent to the developer's Google Analytics account.