A fake app masquerading as the popular password manager LastPass was discovered and then removed from the App Store, and it’s unclear whether it was Apple or the unscrupulous developer who removed it.
The fake app was published on behalf of an independent developer, one Parvati Patel. It copied the branding and user interface of the original LastPass in an attempt to confuse users. LogMeIn, the real developer of LastPass, noted that the description of the fake contained spelling errors and other signs of fraud. The incident with the release of an obviously fake application that passed the App Store verification procedure is a blow to Apple’s reputation. The company actively defends the nature of its ecosystem and opposes laws like the DMA, arguing that they compromise the security and privacy of its customers.
According to Apple, Europe’s Digital Markets Act (DMA), which requires it to allow third-party app stores and payments through third-party systems, could put consumers at risk – outside the App Store they will be forced to resort to the services of unknown parties. And scammers can take advantage of the law to trick users into signing up for subscriptions that are then difficult to cancel. It is also possible that devices may be infected with malware. But in this case, the threat came from the App Store, not a third-party app store.
The fake LastPass client was released on January 21st, according to Appfigures, and has had plenty of time to attract users’ attention. Some of them, however, realized that they were dealing with an attempted fraud, since reviews on the App Store were replete with warnings. The application was promoted in searches using the keyword “LastPass”, but it did not manage to rise much – the previous morning it was only in seventh place in the search results. The fake also failed to make it into the App Store rankings – neither in the general chart of free applications, nor in the top by category. It’s unfortunate that the developers of the real LastPass had to warn users about the fake, which then remained in the store for another whole day.
The developer of the real LastPass is currently working with Apple to, according to a LogMeIn representative, “understand how such an application got through their usually strict security and brand protection mechanisms”. Apple itself has not yet commented on the incident.