About two weeks ago, we reported that by March 20, 2023, Twitter will no longer offer everyone SMS authentication except for its Blue subscribers. This means that for those using SMS to secure their accounts, they will need to switch to a different type of two-factor authentication (2FA), such as a hardware key or an authentication app.
Thankfully, the latter is not just one of the most secure 2FA methods today, but it"s also free. All a user needs to do is to install an authentication app on their device"s app store, link it to Twitter, and they"re good to go (we even made a handy guide). However, according to a recent report by Sophos, app stores are currently plagued with rogue authentication apps that aim to drain a victim"s wallet and steal sensitive data.
Which authenticator app am I gonna go with? π€ pic.twitter.com/iO3y91D2Gp
β Mysk π¨π¦π©πͺ (@mysk_co) February 20, 2023
In an email to Sophos, developer Tommy Mysk said that he and his team analyzed several authenticator apps after Twitter announced the discontinuation of SMS-based 2FA for regular users. They found not only several fraudulent authenticator apps that look almost the same, but many also ask users to pay $20-40 for a yearly subscription to the service. They even found one that sends every scanned QR code to the developerβs Google analytics account.
Many of these suspicious authenticator apps use this technique to trick users. After you finish the welcome wizard after the first launch, you get the in-app purchase view. And the x button to dismiss the view appears after a few seconds (upper right corner)#AppStore pic.twitter.com/sgxEo5ZwF0
β Mysk π¨π¦π©πͺ (@mysk_co) February 20, 2023
It"s safe to say fake authenticator apps will continue to proliferate on app stores as soon as Twitter disables SMS-based 2FA for some of its users. Protect yourself from these by downloading only established authenticator apps, such as Google Authenticator, Microsoft Authenticator, Authy, Lastpass Authenticator, and Duo Mobile. Most of these apps don"t charge anything, so you can easily protect your online accounts without subscribing to a premium service.
Source: Sophos