Downloading an authentication app? Don't fall for the rogue ones

About two weeks ago, we reported that by March 20, 2023, Twitter will no longer offer everyone SMS authentication except for its Blue subscribers. This means that for those using SMS to secure their accounts, they will need to switch to a different type of two-factor authentication (2FA), such as a hardware key or an authentication app.

Thankfully, the latter is not just one of the most secure 2FA methods today, but it's also free. All a user needs to do is to install an authentication app on their device's app store, link it to Twitter, and they're good to go (we even made a handy guide). However, according to a recent report by Sophos, app stores are currently plagued with rogue authentication apps that aim to drain a victim's wallet and steal sensitive data.

In an email to Sophos, developer Tommy Mysk said that he and his team analyzed several authenticator apps after Twitter announced the discontinuation of SMS-based 2FA for regular users. They found not only several fraudulent authenticator apps that look almost the same, but many also ask users to pay $20-40 for a yearly subscription to the service. They even found one that sends every scanned QR code to the developer’s Google analytics account.

It's safe to say fake authenticator apps will continue to proliferate on app stores as soon as Twitter disables SMS-based 2FA for some of its users. Protect yourself from these by downloading only established authenticator apps, such as Google Authenticator, Microsoft Authenticator, Authy, Lastpass Authenticator, and Duo Mobile. Most of these apps don't charge anything, so you can easily protect your online accounts without subscribing to a premium service.

Source: Sophos