A fake app masquerading as password manager LastPass just got pulled from the App Store
A fake app that was masquerading as password manager LastPass on the App Store has been removed, whether by Apple or the fake app’s developer is yet unclear — Apple has not commented. The illegitimate app was listed under an individual developer’s name (Parvati Patel) and copied LastPass’s branding and user interface in an attempt to confuse users. Beyond being published by a different developer that was not LastPass owner LogMeIn, the fake app also had various misspellings and clues that indicated its fraudulent nature, LastPass said. That such an obviously fake app got through Apple’s App Review process is a bad look for the tech giant, which has been arguing against new regulations, like the EU’s Digital Markets Act (DMA), by claiming these laws would compromise customer safety and privacy.
Apple said that the DMA, which allows for third-party app stores and payments, could put consumers at risk because they’ll be able to conduct business outside its App Store with unknown parties. Bad actors could potentially utilize the new regulation to trick consumers into buying subscriptions that are difficult to cancel. They could even target consumers with malware, Apple had warned.
When introducing its plan for DMA compliance, Apple wrote, “The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats.”
But in this case, the threat to consumers was coming from within the App Store itself — not a third-party website.
Still, how large of a threat the fake app actually was remains uncertain.
According to data from app intelligence provider Appfigures, the fake app was released on January 21st, which gave it a couple of weeks to capture users’ attention. But several consumers seemed to have caught on that the app was not legit, as all of its App Store reviews were warnings to others that the app was fraudulent, the firm noted.
The fake app also leveraged the keyword “LastPass” to rank in the search results for the term, but this didn’t get it very far — it only ranked No. 7 in the search results as early today, Appfigures said.
In addition, the app never ranked on any of Apple’s Top Charts, either its Overall Free Apps chart or those by category, Appfigures said. That lack of traction indicates that the app likely saw only a handful of downloads before being pulled.
While the app likely didn’t manage to dupe many consumers, it could have. What’s more, it’s upsetting to learn that LastPass had to warn customers publicly about a fake app that never should have been published in the first place. And after its blog post was published, the app didn’t get removed from the App Store until the following day.
In all likelihood, Apple took action against the app by pulling it down from the App Store after press reports. Apple has been asked for comment, but one was not immediately provided.