Kevin GreenJun 20, 2023
Mysk🇨🇦🇩🇪

The rogue 2FA app that steals scanned secrets is now ranked 18 on the German App Store for the productivity category. No wonder! The app disguises as a Microsoft app. It is the top hit when you search for "Microsoft Authenticator" and the developer has updated the screenshots in the ad card to highlight the word "Microsoft". Surprisingly, the product page of the app shows different screenshots with the word "Microsoft" removed.
The app now has 1.2K reviews, as opposed to 18 when we first addressed the app.

🙏 Boosting this post will help spread the word. Thank you!

#privacy #security #2FactorAuthentication #iOS #infosec

Jun 19, 2023 at 9:44pmWeb
Show threadMysk🇨🇦🇩🇪Jun 19, 2023

We demonstrated how this app steals secrets on Naomi Brockwell's channel, make sure you watch the episode ✌️:

https://youtu.be/cP1LVbLAcSU

The DARK SIDE of 2FA Apps!

YouTube
Show threadMysk🇨🇦🇩🇪Jun 20, 2023

A video showing how the app abuses search keywords to trick users:

https://defcon.social/@mysk/110576091858818294

Mysk🇨🇦🇩🇪 (@[email protected])

Attached: 2 images 🎬 So this scam #2FA app is using custom product pages of Apple Search Ads to trick users. It has different campaigns per search keywords. When searching for "Microsoft Authenticator", it shows screenshots highlighting "Microsoft". and when searching for "Google Authenticator", it highlights "Google". Watch the video 🤯 It's worth noting that custom product pages need to be approved by App Store Connect and Apple Search Ads. This app steals 2FA secrets and its model is very suspicious as noted below. Friendly reminder: Mastodon uses no algorithms for discovering posts. The only way to spread the word is by boosting posts. If you think this post is helpful, boost it to reach others. Thank you 🙏 #Privacy #Apple #iOS #cybersecuritytips #infosec #cybersecurity #security #2FactorAuthentication

DEF CON Social
Show threadElaine (they/she) 💜🏳️‍⚧️🏳️‍🌈Jun 20, 2023
@mysk
I'll try to watch later. Are they actually stealing secrets or just syncing them to the cloud? I could see this because a paid 2FA scam.
Show threadMysk🇨🇦🇩🇪Jun 20, 2023
@elaine The secrets are collected as part of the app analytics and sent to the developer's Google Analytics account.
Show threadMysk🇨🇦🇩🇪Jun 20, 2023
Just tested the latest version and it still sends scanned secrets to the developer's remote server (Version 1.10.1). Meanwhile, the app has climbed to no. 13 on the German App Store 😳
Show threadJak2k 🏳️‍🌈Jun 21, 2023
@mysk
That's why I use android and f-droid.
Show threadLasagneJun 19, 2023
@mysk
To be serious: If appstores were actually curated, they would never be profitable.
Or totp apps would have no internet permission/entitlement.
Show threadHerr Irrtum! 🔊Jun 20, 2023
@mysk
Ah hahaha. And Apple is the company telling their users that they can only use their AppStore because anything here is curated and thus save and secure.
And here comes a top app, with 1.2K votes and they don't realize it's fake and malicious?
That is yelling "automatic CI like tests" - and ok, yes, because this is cheaper and who knows how much apps arrive per minute? But again: This is an app that is in the top charts! And a 2FA app no less! Why again is Apple taking such a high share from the devs revenues (because an AppStore with all security features is expansive, they say) - if there is seemingly no human involved?
(just hypothetical questions, I don't own any Apple product, never have)
Show threadalec timmerman ☕️Jun 20, 2023
@mysk Always use a trusted and vetted 2FA app.
Show threadAyron Jun 20, 2023
@mysk I recommend to never use a smart phone as a second factor. Use a dedicated hardware device, like a TOTP authenticator, USB token or smart card. When using a smart card, use a class 3 reader (they have a PIN pad).
Avoid SMS whenever possible. SMS can be intercepted by just knowing the phone number, if you have access to the SS7 network. No need for compromising the users device.
Show threadlil5  🚲 🇳🇱Jun 21, 2023

@ayron @mysk yeah that not exactly a tenable solution.

https://mattrubin.me/authenticator/

Authenticator is open source and hasn’t been updated in 4 years (meaning the dev isn’t making money off of your data)

My advice is to avoid sync-able #2fa apps

Authenticator • Two-Factor Authentication Client for iOS

Show threadMaxxyJun 20, 2023
@mysk I've seen more than one person at my work with this app on their phone. I've tried to warn people about it, but they just won't listen.
Show threadLatte macchiato  Jun 20, 2023
@mysk same company that claims everything is reviewed and charges hundreds of dollars for developer access

truly amazing
Show threadCraig McgeeJun 20, 2023
@johnnyd_cm @mysk how the hell did it gget into the apple app store in the first place, apple are supposed to be control frieks when it comes to allowing apps. then again they dont stop apps that are completely inaccessible with voiceover so...
Show threadWififluisteraarJun 20, 2023
@mysk And this is why Apple takes their 30% right? To keep its users safe... Scandalous how Apple doesn't even seem to be trying. Any app that goes high on the popularity charts should get extra scrutiny for scamminess/scumminess.
Show threadGeoffaireyJun 20, 2023
@mysk Apple Search Ads failing spectacularly
Show threadJoeJun 20, 2023
@mysk lmao fuck 2fa man
Show threadDebbie Goldsmith 🏳️‍⚧️♾️🇺🇦Jun 20, 2023
@mysk Did you report this app via: https://reportaproblem.apple.com ? That link is for stuff you've already purchased, but you can also tap "Report a problem" directly in the app store page.
Sign In - Apple

Sign in to your Apple Account

Show threadMysk🇨🇦🇩🇪Jun 20, 2023
@dgoldsmith Yes, and many other users reported it, too.
Show threadDebbie Goldsmith 🏳️‍⚧️♾️🇺🇦Jun 20, 2023
@mysk Thanks!
Show threadRickJun 20, 2023
@mysk is there a way to report an app to apple?
Show threadMysk🇨🇦🇩🇪Jun 20, 2023

@JetForMe Yes, but you must download the app first. Then, an option to report the app appears in the information section of the app in the App Store, more here:

https://beebom.com/how-report-bad-apps-scams-app-store-iphone/

How to Report Bad Apps and Scams in Apple App Store on iPhone

Thanks to a recent update, you can now directly report bad apps and scams in the Apple App Store on your iPhone. Let's learn how it works.

Beebom
Show threadskryJun 20, 2023
@mysk I wonder if it’s possible to report this to #microsoft, who could alert #apple through legal channels. It’s ridiculous that Apple can’t take down a reported, malicious app. Some press might help too.
Show threadEl Jefe "Jun 20, 2023
@mysk it's an apple store app, did you report it to apple yet? and if so, did they respond? and if not, have you tried again with this new info?
Show threadincommunicadoJun 21, 2023
@mysk hope someone takes this to a EU hearing when Apple tries to bullshit politicians into believing their walled garden is anything else then a bloody monopoly.
Show threadiBleedIn6ColorsJun 21, 2023
@mysk According to the Apps privacy section on its App Store Page they are WAY BETTER than the original! Microsoft’s App sucks up everything including all of your content, even your location. I would never use either app!
Show threadzgredJun 21, 2023
@mysk @Stellar
Aegis FTW
Show threadReza Yudhistira  📱Jun 21, 2023
@mysk Wait, 1.2K reviews have also been removed?
Show threadAndiJun 21, 2023
@mysk 😳
Show threadKevin Karhan Jun 21, 2023

@mysk let me guess: #Google doesn't give any f**ks?

Shit like that would not fly on @fdroidorg - in fact they'd rather yeet apps having including security issues.

Show threadwraptileJun 24, 2023
@mysk apple fanboys be like "but walled gardens keep us safe" and news like this pop up every month lol
Show threadDammitjanetJun 24, 2023
@mysk
Show threadDammitjanetJun 24, 2023
@mysk gosh. I wonder what would happen if a spam phishing email came in like this?
Show threadWilfried KlaebeJun 25, 2023

Ich nehme mal an, @jiska hat davon schon gehört?

@mysk