Tuesday, February 21, 2023

Scam Authenticator App Steals QR Codes

Ben Lovejoy:

Twitter’s latest bonehead move has led to a flurry of scam authenticator apps, with at least one of them using App Store advertising to figure prominently in search results – and then sending all scanned QR codes to the developer’s analytics service.


Developer and security researcher Mysk quickly spotted a whole bunch of suspiciously-similar apps, all of which demand an in-app subscription purchase in order to scan QR codes.


At least one of these tries to force you to subscribe even if you tap the close box.

Not only were a dozen of these apps approved by App Review, but they’re also promoted by App Store search ads. The point is not that Apple should have caught this but that, in general, they can’t, so they should not be claiming to keep you safe. Apple’s ads and store and illusion of safety make it more likely for people to get themselves into trouble vs. somehow discovering and trusting an unknown authenticator app on a random Web site.

Via Jeff Johnson, whose app was recently rejected:

This screenshot wasn’t taken by App Store review though; it’s one of my own App Store screenshots! In fact it’s not even a new screenshot, as you can see from the date “Sat Oct 2”, but just an old screenshot carried forward from an earlier version of StopTheScript (in the App Store since October 2021). As I said, nothing changed in the new version except the launch screen.


App Store Review should know how to use Safari extensions, and understand the Safari permissions system, since they review Safari extensions, right?


Update (2023-02-23): Mysk:

One of the sketchy authenticator apps

Website: A Google Docs form
Privacy policy: A Google Docs page
Ratings: 4.9/5

App Review team: Spotify’s new audiobooks offering breaks the rules governing how developers may communicate with customers


These two scam authenticator apps are very similar. Their binaries clearly show that they’re clones. It’s funny that their support links redirect to the same Google Docs form 🤦‍♂️. They’re published by two different registered businesses. Both apps are now removed ✌️

Update (2023-02-27): Mysk:

Many iPhone users are asking us to recommend safe authenticator apps. Well, the App Store is making it useless to recommend any app. No matter what you search for, the top hit is almost always an ad for a scam app.

Paul Ducklin:

When we tried searching on the App Store, for example, our top hit was an app with a description that bordered on the illiterate (we’re hoping that this level of unprofessionalism would put at least some people off right away), created by a company using the name of a well-known Chinese mobile phone brand.

Given the apparent poor quality of the app (though it had nevertheless made it into the App Store, don’t forget), our first thought was that we were looking at out-and-out company name infringement.

We were surprised that the presumed imposters had been able to acquire an Apple code signing certificate in a name we didn’t think they had the right to use.

We had to read the company name twice before we realised that one letter had been swapped for a lookalike character, and we were dealing with good old “typosquatting”, or what a lawyer might call passing off – deliberately picking a name that doesn’t literally match but is visually similar enough to mislead you at a glance.

1 Comment RSS · Twitter · Mastodon

[…] Scam Authenticator App Steals QR Codes 😱 […]

Leave a Comment