Google Messages 2FA stock image
Hadlee Simons / Android Authority
TL;DR
  • A developer has reported injected ads in their Google verification text message.
  • The Google Messages app subsequently marked it as spam.
  • Google has since clarified that it didn’t inject this ad into the text.

Update: June 30, 2021 (1:39 AM ET): Google has come back to us after a developer received an injected ad in his Google two-step verification text message. And it looks like the user’s carrier is to blame for this.

“These are not our ads and we are currently working with the wireless carrier to understand why this happened,” a Google spokesperson told Android Authority in response to an emailed query. Hopefully, this is an isolated incident and not indicative of widespread ad injection in Google’s 2FA texts.

Original article: June 29, 2021 (5:20 AM ET): Two-step verification (or two-factor authentication) is one of the best ways to protect your financial and online accounts, but SMS-based verification is definitely more insecure than using an authenticator app. We’ve seen several cases of bad actors using SMS-based verification for malicious purposes, and a mobile carrier may have exposed this solution as insecure once again.

Action Launcher developer Chris Lacy tweeted that his Google verification code SMS features an advertisement for a VPN service (spotted by 9to5Google). It wasn’t a sketchy phishing SMS either, as this was indeed a legitimate 2FA text from Google — Lacy reported that the verification code in question was successfully used.

Compounding matters was the fact that Google Messages marked the SMS as spam, ostensibly due to it detecting the offending text appended to the verification code. Googlers have also chimed in to note that the search giant didn’t inject the ad into the verification SMS, instead suggesting that the unnamed Australian carrier is to blame.

We’ve contacted Google for an official explanation and will update the article if/when the company gets back to us. This would nevertheless be a pretty notable breach of trust on the carrier’s part if confirmed, as the last thing you want is for your 2FA verification text messages to look suspicious.

The practice could also be a major inconvenience if SMS apps send a legitimate verification text to a spam folder as was the case here. This could make life tough for people who aren’t tech-savvy and might not know that they have to check the spam folder.

Have you ever seen ads in verification text messages sent by Google? Let us know via the comments section. Otherwise, there are plenty of great authenticator apps out there that we’d recommend over SMS-based authentication.