A faux app that was masquerading as password manager LastPass on the App Retailer has been eliminated, whether or not by Apple or the faux app’s developer is but unclear — Apple has not commented. The illegitimate app was listed below a person developer’s identify (Parvati Patel) and copied LastPass’s branding and consumer interface in an try to confuse customers. Past being revealed by a special developer that was not LastPass owner LogMeIn, the faux app additionally had numerous misspellings and clues that indicated its fraudulent nature, LastPass said. That such an clearly faux app acquired via Apple’s App Assessment course of is a foul search for the tech big, which has been arguing towards new rules, just like the EU’s Digital Markets Act (DMA), by claiming these legal guidelines would compromise buyer security and privateness.
Apple stated that the DMA, which permits for third-party app shops and funds, might put customers in danger as a result of they’ll be capable to conduct enterprise outdoors its App Retailer with unknown events. Dangerous actors might doubtlessly make the most of the brand new regulation to trick customers into shopping for subscriptions which might be troublesome to cancel. They may even goal customers with malware, Apple had warned.
When introducing its plan for DMA compliance, Apple wrote, “The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats.”
However on this case, the menace to customers was coming from throughout the App Retailer itself — not a third-party web site.
Nonetheless, how massive of a menace the faux app really was stays unsure.
In line with information from app intelligence supplier Appfigures, the faux app was launched on January 21, which gave it a few weeks to seize customers’ consideration. However a number of customers appeared to have caught on that the app was not legit, as all of its App Retailer opinions had been warnings to others that the app was fraudulent, the agency famous.
The faux app additionally leveraged the key phrase “LastPass” to rank within the search outcomes for the time period, however this didn’t get it very far — it solely ranked No. 7 within the search outcomes early immediately, Appfigures stated.
As well as, the app by no means ranked on any of Apple’s High Charts, both its General Free Apps chart or these by class, Appfigures stated. That lack of traction signifies that the app seemingly noticed solely a handful of downloads earlier than being pulled.
Whereas the app seemingly didn’t handle to dupe many customers, it might have. What’s extra, it’s upsetting to study that LastPass needed to warn clients publicly a couple of faux app that by no means ought to have been revealed within the first place. And after its weblog publish was revealed, the app didn’t get faraway from the App Retailer till the next day.
In all chance, Apple took motion towards the app by pulling it down from the App Retailer after press reviews. Apple has been requested for remark, however one was not instantly offered.
LastPass informed TechCrunch it was in contact with Apple representatives over the matter, together with how the app acquired via App Assessment.
“Upon seeing the fake ‘LassPass’ app in the Apple App store, LastPass immediately began a coordinated and multi-faceted approach across our threat intelligence, legal and engineering teams to get the fraudulent app removed,” stated Christofer Hoff, chief safe know-how officer for LastPass, in a press release offered to TechCrunch. “Our threat intelligence team posted a blog yesterday to raise awareness and help inform the public and our customers of the situation. We are in direct contact with representatives from Apple, and they have confirmed receipt of our complaints, and we are working through the process to have the fraudulent app removed.”
Hoff added that the corporate is working with Apple to “understand more broadly how an application like this passed their normally rigorous security and brand protection mechanisms. The naming convention, the iconography, and the description of the fraudulent app are all heavily borrowed from LastPass, and this appears to be a deliberate attempt to target LastPass users,” he stated.
Up to date, 2/8/24, 2:30 PM ET with LastPass remark