A fake app masquerading as the password manager LastPass has been removed from the App Store, but it's still unclear whether it was removed by Apple or by the fake app's developer. Apple has not commented. This illegal app was listed under the name of an individual developer (Parvati Patel) and copied LastPass' branding and user interface in order to confuse users. LastPass said the fake app was not only published by a different developer than LastPass owner LogMeIn, but also contained various misspellings and clues to its fraudulent nature. . It argues that allowing such clearly fake apps to pass through Apple's app review process compromises customer safety and privacy in response to new regulations such as the EU's Digital Markets Act (DMA). It's a bad impression for the tech giants who have opposed it.
Apple said DMA, which enables third-party app stores and payments, could put consumers at risk by allowing them to transact with unknown parties outside of the App Store. . Bad actors could take advantage of this new regulation to trick consumers into purchasing subscriptions that are difficult to cancel. Apple also warned that consumers could be targeted with malware.
In introducing its plans for DMA compliance, Apple said, “New options for processing payments and downloading apps on iOS will protect you from malware, scams, illegal and harmful content, and other privacy and security threats. Opening new paths,” he wrote.
But in this case, the threat to consumers did not come from a third-party website, but from the App Store itself.
Image credits: App Store screenshot, courtesy of Appfigures
Still, it remains unclear how much of a threat the fake apps actually pose.
The fake app was released on January 21 and took two weeks to gain user attention, according to data from app intelligence provider Appfigures. However, the company noted that some consumers appear to have realized the app was not legitimate, as all App Store reviews were warning other consumers that the app was fraudulent. did.
The fake app also used the keyword “LastPass” to rank in search results for that term, but it didn't achieve much success, ranking only 7th in search results as of today. said Appfigures.
Additionally, Appfigures said the app has never ranked in Apple's top charts, either in the overall free apps chart or in the category charts. This lack of traction indicates that the app may only have seen a few downloads before being removed.
The app may not have fooled many consumers, but it could have. Additionally, we are upset to learn that LastPass had to publicly warn customers about a fake app that should never have been released in the first place. And after the blog post was published, the app wasn't removed from the App Store until the next day.
Presumably, Apple took the step of removing the app from the App Store in response to the reports. Apple was asked for comment but did not immediately respond.
LastPass told TechCrunch that it has been in contact with Apple representatives regarding this matter, including how the app passed App Review.
“Upon discovering the fake LassPass app in the Apple App Store, LastPass immediately initiated a coordinated, multifaceted approach across our threat intelligence, legal, and engineering teams to remove the malicious app.” said Christopher Hoff, Chief Secure Technology Officer. In a statement provided to TechCrunch, LastPass said: “Our Threat Intelligence team posted a blog yesterday to raise awareness and keep the public and our customers informed of the situation. We have been in direct contact with Apple representatives and they are We have acknowledged receipt of our complaint and are in the process of removing the fraudulent app.”
Hof added that the company is working with Apple to “broader understand how applications like this get past our normally rigorous security and brand protection mechanisms.” “The naming convention, iconography, and description of the fraudulent app are all heavily borrowed from LastPass, which appears to be a deliberate attempt to target LastPass users,” he said.
LastPass Updated on February 8, 24, 2:30pm ET with comments