We receive a ton of verification codes over the course of the day, whether it be from our banks, or an online service we’re logging into, and so on. Google is one of those companies that relies on verification codes, especially if you have two-factor authentication enabled, and sometimes these codes come in the form of a text message.
Unfortunately for Chris Lacy, the developer behind Action Launcher, it seems that together with his verification code, there was an ad for a VPN included in the text message. According to Lacy, it was even flagged by Google’s Messages app as being a spam message due to the ad.
Update: some Googlers have chimed in and it looks like the ad portion was appended by my carrier to Google's 2FA message.https://t.co/4CGUOw3x2v
— Chris Lacy (@chrismlacy) June 29, 2021
It was initially thought that maybe this could have come from Google since it is a Google verification code, but Google later claimed that it wasn’t. This then led to speculation that it was probably the work of the carrier that Lacy was using who injected the ad into the SMS, which we guess makes sense since it does pass through the carrier’s network before arriving on Lacy’s device.
It is unclear who the carrier might have been but they are based in Australia, and it looks like Google will be doing some investigating on their end. While spam and scam text messages are common, this is actually the first we’re hearing about this and hopefully it won’t become a thing in the future.