back to article Google gamed into advertising a malicious version of Authenticator

Scammers have been using Google's own ad system to fool people into downloading a borked copy of the Chocolate Factory's Authenticator software. A team at security shop Malwarebytes spotted the adverts, which appear to come from a Google approved domain – and from a verified user – earlier this week. They even list the domain …

  1. nightflame2

    This is just the tip of the iceburg. Most apps are now riddled with adverts. And a lot of these ads are official looking scams. From the ones I get presented with its clear Google does little to no checking on what is shown in banner adds in apps through Googles own ad service. Joe Public does not stand a chance.

    1. Wade Burchette

      It seems to me that advertisers only care if the money is good. For that reason, people who use ad-blockers are not the bad people, the advertisers are.

      I use Firefox + NoScript and that blocks all of the malicious ads that redirect your browser. But some websites do not work on Firefox -- because testing on multiple products is so passe ... but that is a story for another day. So I use Brave on those websites. And a few try to guilt me into turning off my security software, what they call my ad-blocker. I make it a point to tell them that my security and privacy is more important than their profit. I also tell them that they are the evil ones for allowing malvertising to exist.

      Ads are not a problem. It what they have become that is the problem. If ads went to the days when the internet went from luxury to necessity I wouldn't mind so much. If static, non-in-your-face, non-tracking, and safe ads worked once, they can work again.

  2. Hazmoid

    alternate authenticators

    Getting users to download an authenticator is hard enough without bad actors getting into the action. I have seen a number of people caught out with the Microsoft Authenticator being spoofed and then being asked for account details to pay for the software. There is a product in both the play store and the appstore that is very similar in design to the MS authenticator logo.

  3. Missing Semicolon Silver badge

    Google Play as well.

    Try searching for "google authenticator" on Play. The top hit is the correct app, but above it is an advert for another authenticator app. Full of ads, requiring payment.

  4. Vulture@C64

    Oh wait, is Apple not so nasty now, you do see the benefit of the Apple App Store. Well well well.... :)

    1. loops

      Did you forget to take your medication again?

      1. Vulture@C64

        It's funny, even when Google is shown to be negligent, careless and running rampant over people's data protection rights, and Apple does the opposite, TheReg still can't appreciate the benefit of using an iPhone or iPad. 9 thumbs down and just two up :). It's like having racist friends :)

        1. Anonymous Coward
          Anonymous Coward

          As if Apple doesn't have bogus apps...

        2. yetanotheraoc Silver badge

          whut?

          Are you saying your racist friends tend to downvote you as well?

  5. big_D

    I always recommend...

    "We recommend avoiding clicking on ads to download any kind of software."

    I recommend avoiding clicking on ads. I never click on ads, I go direct to the site in question and use a voucher code, if there is one, but I never click on an ad, if I can help it - a few time X has interpreted finger scrolling as a click...

  6. Gene Cash Silver badge

    "some of the code on the site is written in Russian"

    That's kind of a lazy sentence. I assume it means the comments are in Russian?

    Otherwise, I have to ask: is it better than Rust?

  7. pc-fluesterer.info
    FAIL

    Trusted? TRUSTED?

    "Google Authenticator is a ... trusted multifactor authentication ..."

    What?

    I for one would NEVER trust Google nor Microsoft, not at 2FA, nowhere.

    For 2FA I use Aegis which is a FOSS TOTP App. The second choice would be FreeOTP, FOSS as well.

  8. Cook942

    Their laziness finally bit them in the ass

    I work for a fairly large retailer and every few weeks we report another fake ad for our website being hosted at the top of googles search results. Incorrectly stating the address it is directing you to. It's been reported to them countless times but they would rather accept the ad revenue then deal with the occasional report than actually fix the incorrect website being displayed. I'm glad they have bit hit by an issue that I'm sure many other people and companies are hit by constantly

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like