Apple has eliminated a faux app that was masquerading as password supervisor LastPass on the App Retailer. The illegitimate app was listed beneath a person developer’s identify (Parvati Patel) and copied LastPass’s branding and consumer interface in an try to confuse customers. Past being revealed by a special developer that was not LastPass proprietor LogMeIn, the faux app additionally had numerous misspellings and clues that indicated its fraudulent nature, LastPass stated. That such an clearly faux app bought by way of Apple’s App Overview course of is a nasty search for the tech big, which has been arguing towards new laws, just like the EU’s Digital Markets Act (DMA), by claiming these legal guidelines would compromise buyer security and privateness.
Apple stated that the DMA, which permits for third-party app shops and funds, might put customers in danger as a result of they’ll be capable to conduct enterprise exterior its App Retailer with unknown events. Dangerous actors might probably make the most of the brand new regulation to trick customers into shopping for subscriptions which might be troublesome to cancel. They may even goal customers with malware, Apple had warned.
When introducing its plan for DMA compliance, Apple wrote, “The new choices for processing funds and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and dangerous content material, and different privateness and safety threats.”
However on this case, the risk to customers was coming from throughout the App Retailer itself — not a third-party web site.
Picture Credit: App Retailer screenshot, courtesy of Appfigures
Nonetheless, how giant of a risk the faux app really was stays unsure.
In keeping with information from app intelligence supplier Appfigures, the faux app was launched on January 21, which gave it a few weeks to seize customers’ consideration. However a number of customers appeared to have caught on that the app was not legit, as all of its App Retailer opinions have been warnings to others that the app was fraudulent, the agency famous.
The faux app additionally leveraged the key phrase “LastPass” to rank within the search outcomes for the time period, however this didn’t get it very far — it solely ranked No. 7 within the search outcomes early right this moment, Appfigures stated.
As well as, the app by no means ranked on any of Apple’s Prime Charts, both its General Free Apps chart or these by class, Appfigures stated. That lack of traction signifies that the app seemingly noticed solely a handful of downloads earlier than being pulled.
Whereas the app seemingly didn’t handle to dupe many customers, it might have. What’s extra, it’s upsetting to study that LastPass needed to warn clients publicly a couple of faux app that by no means ought to have been revealed within the first place. And after its weblog put up was revealed, the app didn’t get faraway from the App Retailer till the next day.
In all chance, Apple took motion towards the app by pulling it down from the App Retailer after press reviews. Apple has been requested for remark, however one was not instantly offered.
LastPass instructed TechCrunch it was in contact with Apple representatives over the matter, together with how the app bought by way of App Overview.
“Upon seeing the faux ‘LassPass’ app within the Apple App retailer, LastPass instantly started a coordinated and multi-faceted method throughout our risk intelligence, authorized and engineering groups to get the fraudulent app eliminated,” stated Christofer Hoff, chief safe know-how officer for LastPass, in an announcement offered to TechCrunch. “Our risk intelligence workforce posted a weblog yesterday to lift consciousness and assist inform the general public and our clients of the scenario. We’re in direct contact with representatives from Apple, and so they have confirmed receipt of our complaints, and we’re working by way of the method to have the fraudulent app eliminated.”
Hoff added that the corporate is working with Apple to “perceive extra broadly how an utility like this handed their usually rigorous safety and model safety mechanisms. The naming conference, the iconography, and the outline of the fraudulent app are all closely borrowed from LastPass, and this seems to be a deliberate try to focus on LastPass customers,” he stated.
Apple confirmed on Friday the app had been eliminated and its creator was banned from its Apple Developer Program, per Overview Guideline which offers with impersonating apps. The corporate declined to share a public remark.
Up to date, 2/8/24, 2:30 PM ET with LastPass remark; 2/9/24 12:57 PM ET with Apple affirmation of elimination
