LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials.
The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface made to appear close to the brand's authentic design.
However, the fake app's name is 'LassPass,' instead of 'LastPass,' and it has a publisher of 'Parvati Patel.'
In addition, there's only a single rating (the real app has over 52 thousand), with only four reviews that warn about it being fake.
.png)
Source: BleepingComputer
As LastPass is used to store very sensitive information, such as authentication secrets and credentials (username/email and password), the app was likely created to act as a phishing app and steal credentials.
BleepingComputer has not tested the app, so we are not familiar with its inner workings, potential phishing process, or any other details about its functionality.
The real LastPass warned about the existence of the clone app via an alert on its website to raise customers' attention to the risk of data loss.
"We have included the URL for the fraudulent app as well as the link to our legitimate app so that customers can verify they are downloading the correct LastPass application for themselves until the fraudulent app is taken down," reads LastPass' alert.
"Rest assured, LastPass is actively working to get this application taken down as soon as possible and will continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property."
The inclusion of such an obviously fraudulent app on the Apple App Store is a very rare case, thanks to the company's stringent app review process, which ensures that software in the App Store meets high standards for privacy, security, and content.
This process includes automated checks and manual review by Apple's team to ensure adherence to a detailed set of guidelines that developers must follow. Yet, somehow, this LastPass clone was accepted.
Also, when Apple becomes aware of an app that violates its guidelines, it typically acts quickly to remove it from the App Store and ban the developer. However, the fake LastPass remains available on the Apple App Store at the time of this story's publication.
The same developer has another app on the App Store that seems legitimate, so the possibility of their account having been hijacked by malicious actors cannot be ruled out.
If you have installed the fake LastPass app, you should immediately remove it and change your password at lastpass.com. It is then advised to perform the arduous task of resetting all passwords stored in your LastPass vault to be safe.
BleepingComputer reached out to Apple about the fake LastPass app, but a response was not immediately available.
Update 2/9 - Apple has confirmed to BleepingComputer that the fraudulent LastPass app has now been removed from the App Store for violating their guideline on copycat apps. Also, the app's developer has been removed from the Apple Developer Program.
The Apple spokesperson also noted that the company has a content dispute process in place for developers who believe another project violates their intellectual property rights, confirming that they received a trademark dispute from LastPass regarding the copycat app.
Comments
smashie2000 - 3 weeks ago
Can this get any worse for LastPass?
DIMMReaper_ - 3 weeks ago
IDK, this is egg in the face of Apple for letting something this pathetically made get through the first steps of their app process. This should NEVER happen. I expect this sort of shoddy counterfeit knock-off crap to be seen in the slum shops of 3rd world countries, but not in the Apple Store.
wpontius - 3 weeks ago
So glad I bailed on LastPass before it all went side-ways!
GreenFox - 3 weeks ago
Assuming the article is completely correct, there isn't really anything in it to indicate that LastPass itself did anything wrong in this particular incident. It looks like Apple is at fault here. (Note that LastPass has earned plenty of legitimate criticism from previous incidents.)
tech_engineer - 3 weeks ago
You should change the last warning:
"If you have installed the LastPass app (fake or real), you should immediately remove it and change your passwords"
mr_breast - 3 weeks ago
Apple: sIdElOaDiNg Is DaNGeRoUs
Also Apple:
GreenFox - 3 weeks ago
As of right now, "Lasspass" doesn't appear in a search on either the US iPhone or the US Mac app store.
DIMMReaper_ - 3 weeks ago
GD Apple, how does this even get past the first ****ing point of App vetting? Anyone that got played by this should be able to go for Apple's throat. If I was LastPass I'd sue Apple. LastPass has its own issue but the fact any dillhole can just blatantly drop a fraudulent app on their store like this is ridiculous. Just pathetic.