Apple has removed a fake app that was masquerading as password manager LastPass on the App Store. The illegitimate app was listed under an individual developer’s name (Parvati Patel) and copied LastPass’s branding and user interface in an attempt to confuse users. Beyond being published by a different developer that was not LastPass owner LogMeIn, the fake app also had various misspellings and clues that indicated its fraudulent nature, LastPass said. That such an obviously fake app got through Apple’s App Review process is a bad look for the tech giant, which has been arguing against new regulations, like the EU’s Digital Markets Act (DMA), by claiming these laws would compromise customer safety and privacy.
Apple said that the DMA, which allows for third-party app stores and payments, could put consumers at risk because they’ll be able to conduct business outside its App Store with unknown parties. Bad actors could potentially utilize the new regulation to trick consumers into buying subscriptions that are difficult to cancel. They could even target consumers with malware, Apple had warned.
When introducing its plan for DMA compliance, Apple wrote, “The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats.”
But in this case, the threat to consumers was coming from within the App Store itself — not a third-party website.
Still, how large of a threat the fake app actually was remains uncertain.
According to data from app intelligence provider Appfigures, the fake app was released on January 21, which gave it a couple of weeks to capture users’ attention. But several consumers seemed to have caught on that the app was not legit, as all of its App Store reviews were warnings to others that the app was fraudulent, the firm noted.
The fake app also leveraged the keyword “LastPass” to rank in the search results for the term, but this didn’t get it very far — it only ranked No. 7 in the search results early today, Appfigures said.
In addition, the app never ranked on any of Apple’s Top Charts, either its Overall Free Apps chart or those by category, Appfigures said. That lack of traction indicates that the app likely saw only a handful of downloads before being pulled.
While the app likely didn’t manage to dupe many consumers, it could have. What’s more, it’s upsetting to learn that LastPass had to warn customers publicly about a fake app that never should have been published in the first place. And after its blog post was published, the app didn’t get removed from the App Store until the following day.
In all likelihood, Apple took action against the app by pulling it down from the App Store after press reports. Apple has been asked for comment, but one was not immediately provided.
LastPass told TechCrunch it was in touch with Apple representatives over the matter, including how the app got through App Review.
“Upon seeing the fake ‘LassPass’ app in the Apple App store, LastPass immediately began a coordinated and multi-faceted approach across our threat intelligence, legal and engineering teams to get the fraudulent app removed,” said Christofer Hoff, chief secure technology officer for LastPass, in a statement provided to TechCrunch. “Our threat intelligence team posted a blog yesterday to raise awareness and help inform the public and our customers of the situation. We are in direct contact with representatives from Apple, and they have confirmed receipt of our complaints, and we are working through the process to have the fraudulent app removed.”
Hoff added that the company is working with Apple to “understand more broadly how an application like this passed their normally rigorous security and brand protection mechanisms. The naming convention, the iconography, and the description of the fraudulent app are all heavily borrowed from LastPass, and this appears to be a deliberate attempt to target LastPass users,” he said.
Apple confirmed on Friday the app had been removed and its creator was banned from its Apple Developer Program, per Review Guideline which deals with impersonating apps. The company declined to share a public comment.
Updated, 2/8/24, 2:30 PM ET with LastPass comment; 2/9/24 12:57 PM ET with Apple confirmation of removal