A password supervisor LastPass calls “fraudulent” booted from App Retailer

Photo of author

By Calvin S. Nelson

Getty Pictures

As Apple has stepped up its promotion of its App Retailer as a safer and extra reliable supply of apps, its operators scrambled Thursday to right a significant menace to that narrative: a list that password supervisor maker LastPass stated was a “fraudulent app impersonating” its model.

On the time this text on Ars went stay, Apple had eliminated the app—titled LassPass and bearing a emblem strikingly much like the one utilized by LastPass—from its App Retailer. On the similar time, Apple allowed a separate app submitted by the identical developer to stay. Apple supplied no rationalization for the rationale for eradicating the previous app or for permitting the latter one to stay.

Apple warns of “new dangers” from competitors

The transfer comes as Apple has beefed up its efforts to advertise the App Retailer as a safer different to competing sources of iOS apps mandated not too long ago by the European Union. In an interview with App Retailer head Phil Schiller printed this month by FastCompany, Schiller stated the brand new app shops will “convey new dangers”—together with pornography, hate speech, and different types of objectionable content material—that Apple has lengthy stored at bay.

“I’ve no qualms in saying that our purpose goes to at all times be to make the App Retailer the most secure, finest place for customers to get apps,” he advised author Michael Grothaus. “I believe customers—and the entire developer ecosystem—have benefited from that work that we’ve executed along with them. And we’re going to maintain doing that.”

In some way, Apple’s app vetting course of—lengthy vaunted despite the fact that Apple has supplied few specifics—failed to identify the LastPass lookalike. Apple eliminated LassPass Thursday morning, two days, LastPass stated, after it flagged the app to Apple and at some point after warning its customers the app was fraudulent.

“We’re elevating this to our clients’ consideration to keep away from potential confusion and/or lack of private knowledge,” LastPass Senior Principal Intelligence Analyst Mike Kosak wrote.

There’s no denying that the brand and title had been strikingly much like the official ones. Under is a screenshot of how LassPass appeared, adopted by the official LastPass itemizing:

The LassPass entry as it appeared in the App Store.
Enlarge / The LassPass entry because it appeared within the App Retailer.
The official LastPass entry.
Enlarge / The official LastPass entry.

Right here yesterday, gone at the moment

Thomas Reed, director of Mac choices at safety agency Malwarebytes, famous that the LassPass entry within the App Retailer stated the app’s privateness coverage was out there on bluneel[.]com, however that the web page was passed by Thursday, and the primary web page reveals a generic touchdown web page. Whois data indicated the area was registered 5 months in the past.

There’s no indication that LassPass collected customers’ LastPass credentials or copied any of the info it saved. The app did, nonetheless, present fields for customers to enter a wealth of delicate private info, together with passwords, e mail and bodily addresses, and financial institution, credit score, and debit card knowledge. The app had an possibility for paid subscriptions.

A LastPass consultant stated the corporate discovered of the app on Tuesday and targeted its efforts on getting it eliminated reasonably than analyzing its habits. Firm officers don’t have details about exactly what LassPass did when it was put in or when it first appeared within the App Retailer.

The App Retailer continues to host a separate app from the identical developer who’s listed merely as Parvati Patel. (A fast Web search reveals many people with the identical title. In the mean time, it wasn’t potential to establish the precise one.) The separate app is known as PRAJAPATI SAMAJ 42 Gor ABD-GNR, and a corresponding privateness coverage (at psag42[.]in/coverage.html) is dated December 2023. It’s described as an “utility for Ahmedabad-Gandhinager Prajapati Samaj app” and additional as a “platform for group.” The app was additionally not too long ago listed on Google Play however was now not out there for obtain on the time of publication. Makes an attempt to contact the developer had been unsuccessful.

There’s no indication the separate app violates any App Retailer coverage. Apple representatives didn’t reply to an e mail asking questions concerning the incident or its vetting course of or insurance policies.

Leave a Comment