Fake LastPass Lookalike Made It Into Apple App Store

LastPass says a rogue application impersonating its popular password manager made it past Apple's gatekeepers and was listed in the iOS App Store for unsuspecting folks to download and install.

The software maker went public about the fake mobile app on Wednesday, warning that the knockoff "LastPass Password Manager," developed by someone calling themselves Parvati Patel, appeared to be trying to confuse users into running the thing and possibly steal their data or credentials.

A screenshot of the fake LastPass app in the Apple App store. Note the misspellings, incorrect developer name and single rating ... Click to enlarge

"Upon seeing the fake 'LassPass' app in the Apple App store, LastPass immediately began a coordinated and multi-faceted approach across our threat intelligence, legal and engineering teams to get the fraudulent app removed," Christofer Hoff, chief secure technology officer for LastPass, told The Register Thursday.

"We are in direct contact with representatives from Apple, and they have confirmed receipt of our complaints, and we are working through the process to have the fraudulent app removed," Hoff added.

Cupertino may have been on the case but earlier today the app was still available in the store. El Reg asked Apple why the fake LastPass app was still up, and while we didn't receive a response, the app's URL stopped working and the application disappeared from App Store search results on an iPhone within a few minutes of our email.

In other words, it's now gone.

How'd this weed make it into the walled garden?

Apps of questionable value aside, Apple has a reputation for being a relatively safe place for the average iPerson to get their software, with a notoriously tough app approval process standing between developers and users. 

Apple even updated its developer agreement and review guidelines last year to add a specific prohibition on apps that impersonate others. The design section of the app review guidelines even calls out developers who take such an approach, though it's more concerned with laziness than maliciousness. 

"Come up with your own ideas," Apple demands from developers. "Submitting apps which impersonate other apps or services is considered a violation of the Developer Code of Conduct and may result in removal from the Apple Developer Program." 

Of course, the system isn't perfect, and the occasional weed gets through the wall and into the garden. LastPass' impersonator isn't the first, though it is a particularly egregious case.

• Forcing Apple to allow third-party app stores isn't enough
• Beware cool-looking beta crypto-apps. They may be money-stealing fakes
• Almost 300 predatory loan apps found in Google and Apple stores
• Over a million Android users fooled by fake WhatsApp app in official Google Play Store

While it's understandable some questionable IP theft could occur on the App Store on occasion, this is a total impersonation of a well-known brand. We'd love to know how this blunder happened, though we're unlikely to get an answer. LastPass wants to know too. 

"[We're] working with Apple to understand more broadly how an application like this passed their normally rigorous security and brand protection mechanisms," Hoff told us. "The naming convention, the iconography and the description of the fraudulent app are all heavily borrowed from LastPass, and this appears to be a deliberate attempt to target LastPass users."

Separating the apps from the traps

Even with its insistence that opening the App Store to competition would lead to greater threats to user safety, Apple's content rules still aren't completely solid. While we're confident that our readers know well how to spot a fake app from a real one, it's worth reminding everyone how to avoid being tricked into downloading a fake - and this fake LastPass app is rife with examples.

There's the obvious signs, like misspellings in app descriptions or in screenshots. The fake LastPass app, screenshotted in this story, actually shows a preview image telling users they can "store all your passwords with lasspass" - a good way to tell you're dealing with a faker, assuming legitimate developers have an editor. 

There's also the developer name, which in LastPass' case should be "LogMeIn, Inc.," not a random person. Other apps from big providers (the most obvious ones to be targeted for impersonation) should likewise match the actual company behind the product. 

The fake LastPass app also only showed itself as having a single five-star rating, while the real LastPass app has some 52k reviews. A legitimate app is unlikely please everyone, either, and LastPass is no different - the real app is rated 4.4 out of five stars.

Additionally, four one-star reviews on the fake LastPass app that didn't seem to affect its overall score came from users warning that it was a scam, so there's two lessons to learn here: Pay attention to the number of reviews on a supposedly legitimate app, and give them a read, too.

Along with those elements, look at the age of the app, and also take a look at the app privacy report baked into every page in the App Store - if an app doesn't seem like it needs to link certain types of data to you (sudoku doesn't need to access user content or know your location), then skip it - even if legit the developer might be selling your data.

As high as they may be, the walls around Tim's garden can't keep out all the garbage, so be careful. ®