The official Google Chrome extension website is the safest place to download addons, but it's by no means impervious. Evidence of this emerged recently after Google removed a fake Microsoft Authenticator addon from its Chrome store.
The Unauthentic Authenticator on the Chrome Store
As reported by The Register, Google has just removed a fake Microsoft Authenticator app from its Chrome store. This occurred around 24 hours after the internet lit up with reports of the imposter app.
The scammers were likely abusing the fact that Microsoft doesn't have an official Authenticator extension for Chrome just yet. As such, by uploading their own malicious version, it would appear at the top of search results without any official app to contest it.
Fortunately, there were telltale signs that the app was not legit. For instance, the app didn't claim Microsoft developed it; instead, the company name was entered as just "Extension."
Despite this, the extension saw hundreds of downloads and had a three-star rating at the time of deletion. As such, users who didn't check the extension's full credentials would likely fall into the trap.
We don't know the full extent of what the fake authenticator app did once someone downloaded it. However, reports show that it displayed fake Microsoft login pages to phish for people's passwords. It also caused high CPU usage, which meant it was likely engaging in cryptojacking.
Of course, Microsoft had some choice words for the Google Chrome store in a statement to The Register:
Microsoft has never had a Chrome extension for Microsoft Authenticator. The company encourages users to report any suspicious extensions to the Chrome Web Store.
This recent event casts some light on the security of the Chrome Web Store. For instance, how did someone get through Google's security by uploading an app without using the official "Microsoft Corporation" developer profile on the Chrome Web Store?
Regardless, it shows that you can't fully trust every app on the internet, even if it's on an official app store. If you did download any Microsoft Authenticators for Chrome in the past, be sure to delete them ASAP, then run a virus scan and change your Microsoft account password to ensure everything is okay.
A Bad Rap for the Google App Store
Microsoft doesn't have an official Authenticator extension released at the time of writing, so if you do see one in the wild, treat it with extreme caution. A recent scam proved that not everything is as it seems, but is it more the user's fault or Google's for letting it onto its store in the first place?
Scams like this happen on every app store, but there are ways you can protect yourself. By checking the reviews, download count, and the developer, you can better deduct if the app you're looking at is the real deal or not.