A fake app pretending to be the LastPass password manager has just been removed from the App Store


A fake application that was pretending to be the LastPass password manager on the App Store has been removed, it is not yet clear whether it is Apple or the developer of the fake application — Apple has not commented. The illegitimate app was listed under the name of an individual developer (Parvati Patel) and copied LastPass’s branding and user interface in an attempt to confuse users. Beyond being published by a different developer that wasn’t LastPass owner LogMeInthe fake application also contained various spelling mistakes and clues indicating its fraudulent nature, LastPass said. The fact that such a fake app went through Apple’s app review process is a bad look for the tech giant, which opposes new regulations, like the Digital Markets Act (DMA) of the EU, claiming that these laws would compromise the security and privacy of customers.

Apple said the DMA, which allows third-party app stores and payments, could put consumers at risk because they will be able to do business outside of its App Store with unknown parties. Bad actors could potentially use the new regulations to trick consumers into purchasing subscriptions that are difficult to cancel. They could even target consumers with malware, Apple had warned.

When presenting its DMA compliance plan, Apple wrote“New payment processing and app download options on iOS open new avenues for malware, fraud and scams, illegal and harmful content, and other privacy and security threats. Security.”

But in this case, the threat to consumers came from the App Store itself, not a third-party website.

Image credits: App Store screenshot, courtesy of Appfigures

Still, the extent of the threat the fake app actually posed remains unclear.

Based on application intelligence provider data Application figures, the fake app launched on January 21, giving it a few weeks to capture users’ attention. But several consumers seemed to have figured out that the app wasn’t legitimate, because all the reviews on the App Store were warnings to others that the app was fraudulent, the company noted.

The fake app also exploited the keyword “LastPass” to rank in search results for the term, but it didn’t get very far: it only ranked #7 in search results earlier today, Appfigures said.

Additionally, the app has never ranked in any of Apple’s top rankings, either in the overall free apps rankings or those by category, Appfigures said. This lack of traction indicates that the app likely only saw a handful of downloads before being taken down.

While the app probably didn’t succeed in fooling many consumers, it could have done so. Additionally, it’s upsetting to learn that LastPass had to publicly warn its customers about a fake app that should never have been released in the first place. And after publishing his blog post, the app wasn’t removed from the App Store until the next day.

In all likelihood, Apple took action against the app by removing it from the App Store after press reports. Apple was asked for comment, but none was immediately provided.

LastPass told TechCrunch that it was in contact with Apple representatives about the matter, including how the app passed app review.

“Upon seeing the fake ‘LassPass’ app in the Apple App Store, LastPass immediately initiated a coordinated, multi-faceted approach across our threat intelligence, legal and engineering teams to remove the fraudulent app.” , said Christofer Hoff, Director of Secure Technology. for LastPass, in a statement provided to TechCrunch. “Our threat intelligence team published a blog yesterday to raise awareness and help inform the public and our customers of the situation. We are in direct contact with Apple representatives, and they have confirmed receipt of our complaints, and we are working on the process to remove the fraudulent application.

Hoff added that the company is working with Apple to “understand more broadly how an app like this passed its normally rigorous security and brand protection mechanisms.” The naming convention, iconography and description of the scam app are all borrowed heavily from LastPass, and this appears to be a deliberate attempt to target LastPass users,” he said.

Updated 2/8/24, 2:30 p.m. ET with LastPass comment


Leave a Comment

Your email address will not be published. Required fields are marked *