Apple Approved a Fake “LastPass Password Manager” App for the App Store

Apple’s App Store review team is notoriously fickle about what software it approves for sale. Some companies have had to modify, modify, or even completely remove certain features in order for their application to make it through the process.

Yet somehow, a fake LastPass app managed to get past this same review team. Worse yet, the fraudulent version of LastPass was available for weeks before it was finally removed, and only after it was removed. noticed by the LastPass team themselves.

“LastPass would like to alert our customers of a fraudulent application attempting to impersonate our LastPass application on the Apple App Store,” LastPass wrote Wednesday on its company website.

The statement points out that the impostor pretending to be the official LastPass app listed someone named “Parvati Patel” as the developer, instead of LastPass’ parent company LogMeIn.

“The app attempts to copy our branding and user interface, although a close look at the posted screenshots reveals spelling errors and other indicators that the app is fraudulent,” pointed out LastPass. Most notably, the fake LastPass app is listed as “LassPass Password Manager” – note “Lass” in place of “Last”.

According to TechCrunch, the LastPass team reached out to Apple to learn more about how “LassPass” survived the iPhone maker’s typically rigorous App Store review process. Although Apple has not provided any public information on the matter, the company has since removed “LassPass Password Manager” from the App Store.

It is unknown, at least for the moment, how many people fell for this scam, just as it is not yet confirmed that the fake app was a phishing attempt, although this is the most likely reason. obvious to masquerade as a password management application.

An ironic moment for an App Store misstep

Recently, Apple’s app distribution policies made headlines following the company’s release of new rules created in response to the EU’s Digital Markets Act (DMA). This new regulation was instituted in order to loosen Apple’s control over how third-party apps are distributed on iPhones, allowing users to download apps from alternative markets that are not bound by Apple’s content rules. the Apple App Store or through revenue sharing policies.

In response, Apple engaged in what one critic called “malicious compliance”, formulating new DMA-compliant policies for these alternative markets and the applications distributed in them, including scenarios in which developers could potentially pay Apple. more than they would have done if they had just released their apps through the official App Store. Apple’s decision was roundly condemned by developers large and small. CEOs of companies like Xbox, Epic Games, Spotify and even Meta’s Mark Zuckerberg criticized Apple, accusing the company of trying to profit from the DMA.

Why this so-called act of “malicious compliance”? That’s the ironic part. The iPhone maker had opposed the DMA in the first place, believing its walled garden approach with the App Store protected consumers from bad actors. As TechCrunch points out, Apple even wrote about this in its own article about its new DMA-compliant rules.

“New payment processing and app download options on iOS open new avenues for malware, fraud and scams, illegal and harmful content, and other privacy and security threats. security,” Apple said. said in his January 25 blog post. And yet, by the time Apple released this statement, “LassPass Password Manager” was already available for download on the official App Store, having been approved four days earlier.