A fake app masquerading as password manager LastPass just got pulled from the App Store


Share post:

A fake app that was masquerading as password manager LastPass on the App Store has been removed, whether by Apple or the fake app’s developer is yet unclear — Apple has not commented. The illegitimate app was listed under an individual developer’s name (Parvati Patel) and copied LastPass’s branding and user interface in an attempt to confuse users. Beyond being published by a different developer that was not LastPass owner LogMeIn, the fake app also had various misspellings and clues that indicated its fraudulent nature, LastPass said. That such an obviously fake app got through Apple’s App Review process is a bad look for the tech giant, which has been arguing against new regulations, like the EU’s Digital Markets Act (DMA), by claiming these laws would compromise customer safety and privacy.

Apple said that the DMA, which allows for third-party app stores and payments, could put consumers at risk because they’ll be able to conduct business outside its App Store with unknown parties. Bad actors could potentially utilize the new regulation to trick consumers into buying subscriptions that are difficult to cancel. They could even target consumers with malware, Apple had warned.

When introducing its plan for DMA compliance, Apple wrote, “The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats.”

But in this case, the threat to consumers was coming from within the App Store itself — not a third-party website.

Image Credits: App Store screenshot, courtesy of Appfigures

Still, how large of a threat the fake app actually was remains uncertain.

According to data from app intelligence provider Appfigures, the fake app was released on January 21, which gave it a couple of weeks to capture users’ attention. But several consumers seemed to have caught on that the app was not legit, as all of its App Store reviews were warnings to others that the app was fraudulent, the firm noted.

The fake app also leveraged the keyword “LastPass” to rank in the search results for the term, but this didn’t get it very far — it only ranked No. 7 in the search results early today, Appfigures said.

In addition, the app never ranked on any of Apple’s Top Charts, either its Overall Free Apps chart or those by category, Appfigures said. That lack of traction indicates that the app likely saw only a handful of downloads before being pulled.

While the app likely didn’t manage to dupe many consumers, it could have. What’s more, it’s upsetting to learn that LastPass had to warn customers publicly about a fake app that never should have been published in the first place. And after its blog post was published, the app didn’t get removed from the App Store until the following day.

In all likelihood, Apple took action against the app by pulling it down from the App Store after press reports. Apple has been asked for comment, but one was not immediately provided.

LastPass told TechCrunch it was in touch with Apple representatives over the matter, including how the app got through App Review.

“Upon seeing the fake ‘LassPass’ app in the Apple App store, LastPass immediately began a coordinated and multi-faceted approach across our threat intelligence, legal and engineering teams to get the fraudulent app removed,” said Christofer Hoff, chief secure technology officer for LastPass, in a statement provided to TechCrunch. “Our threat intelligence team posted a blog yesterday to raise awareness and help inform the public and our customers of the situation. We are in direct contact with representatives from Apple, and they have confirmed receipt of our complaints, and we are working through the process to have the fraudulent app removed.”

Hoff added that the company is working with Apple to “understand more broadly how an application like this passed their normally rigorous security and brand protection mechanisms. The naming convention, the iconography, and the description of the fraudulent app are all heavily borrowed from LastPass, and this appears to be a deliberate attempt to target LastPass users,” he said.

Updated, 2/8/24, 2:30 PM ET with LastPass comment

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Catalog is building the B2B commerce platform for small companies

When you think about commerce platforms, chances are the first names that come to mind are big...

Indian firms begrudgingly comply with Google Play rules while seeking regulatory intervention

Indian firms whose apps were delisted by Google last week have begrudgingly started to comply with Play...

Elon Musk switched on X calling by default: Here’s how to switch it off

In his quest to turn a simple and functioning Twitter app into X, the everything app that...

Former Twitter CEO sues Elon Musk

Another day, another lawsuit involving Elon Musk. Four former Twitter executives, including ex-CEO Parag Agrawal, sued Musk...

Shure enters the wireless lav mic business

Consumer lapel mics are one of the more interesting consumer electronics trends of recent years. Prior to...

TechCrunch Space: Good night, Odysseus

Hello and welcome back to TechCrunch Space. SpaceX is launching its Transporter-10 rideshare mission today. These are...

Streamer Deezer cheers Apple antitrust fine, but calls tech giant’s DMA response ‘deceptive’

Streaming music service Deezer is joining Spotify in cheering the European Union’s €1.84 billion fine imposed on...

Australian space startup Esper wants to build hyperspectral sats for cheap

Australian remote sensing startup Esper wants to capture hyperspectral imagery from space at a fraction of the...