A counterfeit app pretending to be password manager LastPass has been removed from the App Store

Photo Credit: Bryce Durbin / TechCrunchA counterfeit version of the password manager LastPass has been pulled from the App Store, and it is unclear whether Apple or the fake app developer is responsible as Apple has not yet responded. The rogue app was attributed to a developer named Parvati Patel and replicated the LastPass logo and user interface in an attempt to deceive users. In addition to being published by a third-party developer not associated with LastPass owner LogMeIn, the fake app contained mislabeled content and warnings indicating fraud, as reported by LastPass. The fact that such a fake app made it through Apple’s App Review process reflects poorly on the tech giant, especially in light of its opposition to new laws like the EU’s Digital Markets Act (DMA), which Apple claims would compromise customer security and privacy. Apple has warned that the DMA, enabling third-party app stores to conduct transactions, could expose consumers to risks by allowing them to engage in business with unknown parties outside the App Store. Apple cautioned that bad actors could exploit the new law to deceive consumers into purchasing difficult-to-cancel subscriptions and potentially unleash malware. In its statement about DMA compliance, Apple mentioned, “New methods for altering payment and downloading apps on iOS create new avenues for malware, scams, illegitimate commerce, and other privacy and security threats.” However, in this case, the threat to consumers emanated from within the App Store itself, rather than from a third party.
Additional Images: App Store Image, courtesy of Appfigures The scale of the threat posed by the fake software remains unknown. According to Appfigures, a provider of app intelligence, the phony app was launched on January 21, allowing it a few weeks to attract attention from users. However, it seems that many consumers were alert to the counterfeit nature of the app, as all of its App Store reviews cautioned others about its fraudulent nature, the company revealed. The rogue app also leveraged the keyword “LastPass” to rank in search results, but its ranking only reached No.7 in the search results, according to Appfigures. Furthermore, the app never appeared on any of Apple’s Top Charts, including overall Free Apps and its specific category. According to Appfigures, this absence suggests that the app may have had minimal downloads before being taken down. While the app may not have garnered significant traction among consumers, it is nevertheless disheartening that LastPass had to publicly warn users about a fake app that should never have made it to the App Store in the first place. Moreover, the app was only removed from the store the day after LastPass published its blog post alerting users to the issue. It appears that Apple only took action after media reports surfaced. TechCrunch reached out to Apple for comment, but none was immediately provided. LastPass informed TechCrunch that it had contacted Apple representatives regarding the matter and lodged a complaint about the app through App Review. Commenting on the situation, Christofer Hoff, Chief Security Officer for LastPass, stated, “Following the discovery of the fake ‘LassPass’ app on the Apple App store, LastPass immediately launched a coordinated and multi-disciplinary effort involving our intelligence, legal and technical teams to eliminate the fraudulent app.” Hoff added that LastPass’s threat intelligence team had posted a blog to inform the public and customers about the situation. He confirmed that LastPass is in direct communication with Apple representatives and that Apple has acknowledged receipt of the complaint, and they are working to have the fraudulent app removed. Hoff also noted that the company is collaborating with Apple to gain a better understanding of how an app like this managed to bypass their standard security measures and brand safety. “The naming convention, images, and description of the phishing program are all borrowed from LastPass, and this appears to be a deliberate attempt to target LastPass users,” he said. Updated, 2/8/24, 2:30 PM ET by LastPass comments

Author: OpenAI