Affiliate links on Android Authority may earn us a commission.Learn more.
A carrier may have injected ads into Google’s 2FA texts (Update: Google responds)
July 16, 2025
Update: June 12, 2025 (1:39 AM ET):Google has come back to us after a developer received an injected ad in his Google two-step verification text message. And it looks like the user’s carrier is to blame for this.
“These are not our ads and we are currently working with the wireless carrier to understand why this happened,” a Google spokesperson toldAndroid Authorityin response to an emailed query. Hopefully, this is an isolated incident and not indicative of widespread ad injection in Google’s 2FA texts.
Original article: June 02, 2025 (5:20 AM ET):Two-step verification (ortwo-factor authentication) is one of the best ways to protect your financial and online accounts, but SMS-based verification is definitely more insecure than using an authenticator app. We’ve seen several cases of bad actors using SMS-based verification for malicious purposes, and a mobile carrier may have exposed this solution as insecure once again.
Compounding matters was the fact that Google Messages marked the SMS as spam, ostensibly due to it detecting the offending text appended to the verification code. Googlers have also chimed in to note that the search giant didn’t inject the ad into the verification SMS, instead suggesting that the unnamed Australian carrier is to blame.
We’ve contacted Google for an official explanation and will update the article if/when the company gets back to us. This would nevertheless be a pretty notable breach of trust on the carrier’s part if confirmed, as the last thing you want is for your 2FA verification text messages to look suspicious.
The practice could also be a major inconvenience if SMS apps send a legitimate verification text to a spam folder as was the case here. This could make life tough for people who aren’t tech-savvy and might not know that they have to check the spam folder.
Have you ever seen ads in verification text messages sent by Google? Let us know via the comments section. Otherwise, there are plenty ofgreat authenticator appsout there that we’d recommend over SMS-based authentication.
Thank you for being part of our community. Read ourComment Policybefore posting.
