November 7, 2024

GREAT PRETENDER — A password manager LastPass calls fraudulent booted from App Store “LassPass” mimicked the name and logo of real LastPass password manager.

Dan Goodin – Feb 8, 2024 10:16 pm UTC EnlargeGetty Images reader comments 54

As Apple has stepped up its promotion of its App Store as a safer and more trustworthy source of apps, its operators scrambled Thursday to correct a major threat to that narrative: a listing that password manager maker LastPass said was a fraudulent app impersonating its brand.

At the time this article on Ars went live, Apple had removed the apptitled LassPass and bearing a logo strikingly similar to the one used by LastPassfrom its App Store. At the same time, Apple allowed a separate app submitted by the same developer to remain. Apple provided no explanation for the reason for removing the former app or for allowing the latter one to remain. Apple warns of new risks from competition

The move comes as Apple has beefed up its efforts to promote the App Store as a safer alternative to competing sources of iOS apps mandated recently by the European Union. In an interview with App Store head Phil Schiller published this month by FastCompany, Schiller said the new app stores will bring new risksincluding pornography, hate speech, and other forms of objectionable contentthat Apple has long kept at bay.

I have no qualms in saying that our goal is going to always be to make the App Store the safest, best place for users to get apps, he told writer Michael Grothaus. I think usersand the whole developer ecosystemhave benefited from that work that weve done together with them. And were going to keep doing that.

Somehow, Apples app vetting processlong vaunted even though Apple has provided few specificsfailed to spot the LastPass lookalike. Apple removed LassPass Thursday morning, two days, LastPass said, after it flagged the app to Apple and one day after warning its users the app was fraudulent.

We are raising this to our customers attention to avoid potential confusion and/or loss of personal data, LastPass Senior Principal Intelligence Analyst Mike Kosak wrote. Advertisement

Theres no denying that the logo and name were strikingly similar to the official ones. Below is a screenshot of how LassPass appeared, followed by the official LastPass listing: Enlarge / The LassPass entry as it appeared in the App Store. Enlarge / The official LastPass entry. Here yesterday, gone today

Thomas Reed, director of Mac offerings at security firm Malwarebytes, noted that the LassPass entry in the App Store said the apps privacy policy was available on bluneel[.]com, but that the page was gone by Thursday, and the main page shows a generic landing page. Whois records indicated the domain was registered five months ago.

Theres no indication that LassPass collected users LastPass credentials or copied any of the data it stored. The app did, however, provide fields for users to enter a wealth of sensitive personal information, including passwords, email and physical addresses, and bank, credit, and debit card data. The app had an option for paid subscriptions.

A LastPass representative said the company learned of the app on Tuesday and focused its efforts on getting it removed rather than analyzing its behavior. Company officials dont have information about precisely what LassPass did when it was installed or when it first appeared in the App Store.

The App Store continues to host a separate app from the same developer who is listed simply as Parvati Patel. (A quick Internet search reveals many individuals with the same name. At the moment, it wasnt possible to identify the specific one.) The separate app is named PRAJAPATI SAMAJ 42 Gor ABD-GNR, and a corresponding privacy policy (at psag42[.]in/policy.html) is dated December 2023. Its described as an application for Ahmedabad-Gandhinager Prajapati Samaj app and further as a platform for community. The app was also recently listed on Google Play but was no longer available for download at the time of publication. Attempts to contact the developer were unsuccessful.

Theres no indication the separate app violates any App Store policy. Apple representatives didnt respond to an email asking questions about the incident or its vetting process or policies. reader comments 54 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars