A password manager LastPass calls “fraudulent” booted from App Store
News Team
As Apple has stepped up its promotion of its App Store as a safer and more trustworthy source of apps, its operators scrambled Thursday to correct a major threat to that narrative: a listing that password manager maker LastPass said was a “fraudulent app impersonating” its brand.
At the time this article on Ars went live, Apple had removed the app—titled LassPass and bearing a logo strikingly similar to the one used by LastPass—from its App Store. At the same time, Apple allowed a separate app submitted by the same developer to remain. Apple provided no explanation for the reason for removing the former app or for allowing the latter one to remain.
Apple warns of “new risks” from competition
The move comes as Apple has beefed up its efforts to promote the App Store as a safer alternative to competing sources of iOS apps mandated recently by the European Union. In an interview with App Store head Phil Schiller published this month by FastCompany, Schiller said the new app stores will “bring new risks”—including pornography, hate speech, and other forms of objectionable content—that Apple has long kept at bay.
“I have no qualms in saying that our goal is going to always be to make the App Store the safest, best place for users to get apps,” he told writer Michael Grothaus. “I think users—and the whole developer ecosystem—have benefited from that work that we’ve done together with them. And we’re going to keep doing that.”
Somehow, Apple’s app vetting process—long vaunted even though Apple has provided few specifics—failed to spot the LastPass lookalike. Apple removed LassPass Thursday morning, two days, LastPass said, after it flagged the app to Apple and one day after warning its users the app was fraudulent.
“We are raising this to our customers’ attention to avoid potential confusion and/or loss of personal data,” LastPass Senior Principal Intelligence Analyst Mike Kosak wrote.
There’s no denying that the logo and name were strikingly similar to the official ones. Below is a screenshot of how LassPass appeared, followed by the official LastPass listing:
Here yesterday, gone today
Thomas Reed, director of Mac offerings at security firm Malwarebytes, noted that the LassPass entry in the App Store said the app’s privacy policy was available on bluneel[.]com, but that the page was gone by Thursday, and the main page shows a generic landing page. Whois records indicated the domain was registered five months ago.
There’s no indication that LassPass collected users’ LastPass credentials or copied any of the data it stored. The app did, however, provide fields for users to enter a wealth of sensitive personal information, including passwords, email and physical addresses, and bank, credit, and debit card data. The app had an option for paid subscriptions.
A LastPass representative said the company learned of the app on Tuesday and focused its efforts on getting it removed rather than analyzing its behavior. Company officials don’t have information about precisely what LassPass did when it was installed or when it first appeared in the App Store.
The App Store continues to host a separate app from the same developer who is listed simply as Parvati Patel. (A quick Internet search reveals many individuals with the same name. At the moment, it wasn’t possible to identify the specific one.) The separate app is named PRAJAPATI SAMAJ 42 Gor ABD-GNR, and a corresponding privacy policy (at psag42[.]in/policy.html) is dated December 2023. It’s described as an “application for Ahmedabad-Gandhinager Prajapati Samaj app” and further as a “platform for community.” The app was also recently listed on Google Play but was no longer available for download at the time of publication. Attempts to contact the developer were unsuccessful.
There’s no indication the separate app violates any App Store policy. Apple representatives didn’t respond to an email asking questions about the incident or its vetting process or policies.