A fake application that was disguised as a LastPass password manager in the App Store has been removed, it’s not yet clear whether Apple or the developer of the fake app — Apple has not commented. The illegal app was registered under the name of a single developer (Parvati Patel) and copied LastPass’ branding and user interface in an attempt to confuse users. Aside from being published by a different developer that wasn’t LastPass LogMeIn ownerthe fake app also had various spelling errors and clues indicating its fraudulent nature; said LastPass. That such an obviously fake app made it past Apple’s app review process is a bad look for the tech giant, which is fighting new regulations such as the EU’s Digital Marketing Act (DMA), claiming that these laws will were compromising customer security and privacy.
Apple said DMA, which allows app stores and third-party payments, could put consumers at risk because they would be able to transact outside of its App Store with unknown parties. Bad actors could potentially use the new regulation to trick consumers into buying subscriptions that are difficult to cancel. They could even target consumers with malware, Apple had warned.
In presenting its plan to comply with the DMA, Apple wrote“The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illegal and harmful content, and other threats to privacy and security.”
But in this case, the threat to consumers came from the App Store itself — not a third-party site.
Image Credits: App Store screenshot courtesy of Appfigures
However, how big of a threat the fake app actually was remains uncertain.
According to data from the application information provider Appfigures, the fake app was released on January 21, which gave it two weeks to gain users’ attention. However, several consumers seemed to have figured out that the app was not legitimate, as all App Store reviews were warnings to others that the app was fraudulent, the company noted.
The fake app also used the keyword “LastPass” to rank in search results for the term, but that didn’t make it very far — it only ranked 7th in search results early today, Appfigures said.
Additionally, the app never ranked on any of Apple’s top charts, either the Total Free Apps chart or those by category, Appfigures said. This lack of traction indicates that the app probably only saw a few downloads before it was pulled.
While the app likely failed to trick many consumers, it could have. Additionally, it’s upsetting to learn that LastPass had to publicly warn customers about a fake app that should never have been released in the first place. And after her blog post was published, the app was pulled from the App Store the next day.
In all likelihood, Apple took action against the app by pulling it from the App Store after reports in the press. Apple has been reached for comment, but one was not immediately provided.
LastPass told TechCrunch that it has been in contact with Apple representatives about the matter, including how the app passed App Review.
“Upon seeing the fake ‘LassPass’ app in the Apple app store, LastPass immediately launched a coordinated and multi-pronged approach across our threat intelligence, legal and engineering teams to remove the fraudulent app,” said Christofer Hoff, head safe technology. for LastPass, in a statement provided to TechCrunch. “Our threat intelligence team published a blog yesterday to raise awareness and help inform the public and our customers about the situation. We are in direct contact with Apple representatives and they have confirmed receipt of our complaints and are working on the process to remove the fraudulent app.”
Hoff added that the company is working with Apple to “understand more broadly how an app like this got past its usually strict security and brand protection mechanisms. The naming convention, iconography and description of the rogue app all borrow heavily from LastPass and this appears to be a deliberate attempt to target LastPass users,” he said.
Updated, 2/8/24, 2:30 p.m. ET with LastPass comment
