Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
IT Apple

Fake LastPass Password Manager Spotted on Apple's App Store (bleepingcomputer.com) 42

LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. From a report: The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface made to appear close to the brand's authentic design. However, the fake app's name is 'LassPass,' instead of 'LastPass,' and it has a publisher of 'Parvati Patel.' In addition, there's only a single rating (the real app has over 52 thousand), with only four reviews that warn about it being fake.
This discussion has been archived. No new comments can be posted.

Fake LastPass Password Manager Spotted on Apple's App Store

Comments Filter:
  • Not surprising (Score:4, Insightful)

    by Z00L00K ( 682162 ) on Thursday February 08, 2024 @03:00PM (#64225566) Homepage Journal

    No limit on how evil and creative the scammers can get.

    Also realize that if you want the Microsoft Authenticator app on Android there's now a massive number of them and it's almost to the level that you have to take your chances.

    • Re:Not surprising (Score:4, Interesting)

      by cusco ( 717999 ) <[brian.bixby] [at] [gmail.com]> on Thursday February 08, 2024 @04:17PM (#64225742)

      I'm just staying with Keepass, it's done everything that I needed and almost nothing I don't for 15 or more years and I've convinced two of my former employers to standardize on it. I don't give a rip if it doesn't work on an iToy, I wouldn't want one anyway.

      • by xwin ( 848234 )
        While I use Keepass every day on PC, I think it is a mistake to keep your passwords on the phone. You can't control what runs on your phone to a large extent. Google and Apple running their processes, service providers running theirs, any app that likes can run a service and to request accessibility control. Plus your phone can get stolen and broken into.
        On PC I can see all processes and can also use second factor for Keepass (a key file on the USB) which I can disconnect when I am not there. Even if a da
    • No limit on how evil and creative the scammers can get.

      There’s apparently no limit on the amount of incompetence either.

      Apple accepts a security-centric app from a major vendor and charges the infamous 30% Apple Store tax for it, and then does nothing to protect the integrity of that security-centric app (or any other app for that matter) by allowing a scammer to pose as a major vendor and push a fake security-centric app behind the “walled garden”?

      FUCK accepting that nonsense. If the world is going to be reduced to a handful of “approv

      • That's where the whole thing goes to hell, isn't it? Apple claims their app store keeps you safe, apple users claim the same thing, but apple does nothing at all to prevent malware from reaching the store, and thus customer devices. And since customers think that they do, they tend to trust anything in the app store. Apple's promises lead to a false sense of security by design.

        • by deek ( 22697 )

          It's unfair to say that Apple does _nothing_ to prevent malware reaching their store, but they certainly do slip up and let some through. Needless to say, whoever approved that particular app is going to be in hot water.

          https://techcrunch.com/2023/05... [techcrunch.com]

          As you say, you shouldn't completely trust Apple and their store. Employ a little scepticism, and don't expect that Apple will be 100% effective in blocking bad apps. It only makes sense that they can't.

          • It's unfair to say that Apple does _nothing_ to prevent malware reaching their store, but they certainly do slip up and let some through. Needless to say, whoever approved that particular app is going to be in hot water.

            What, you mean they’ll be in hot water because it should have been trivially easy to categorize certain apps (like security-centric ones), and apply additional policy and procedure to ensure integrity? Could have been as simple as someone picking up the phone and calling a rep from LastPass themselves to validate. LastPass isn’t exactly some obscure unknown.

            https://techcrunch.com/2023/05... [techcrunch.com]

            As you say, you shouldn't completely trust Apple and their store. Employ a little scepticism, and don't expect that Apple will be 100% effective in blocking bad apps. It only makes sense that they can't.

            Given the sheer size and financial capabilities to create an entire division dedicated to the integrity of the largest or one of the large

            • by deek ( 22697 )

              I’d say scrutinizing certain security-centric apps to ensure you sustain some basic integrity is quite justified. Bullshit excuses, are bullshit. They should have known better on this one.

              Look, I get where you're coming from, but you have to remember that organisations, like soylent green, are people.

              It just takes one person that doesn't know anything about LastPass to look at the app, do some standard checking, and then be convinced that the app appears to do exactly what it says it does, and approve

        • Just searched for lasspass app on the AppStore and nothing shows up. Maybe it has been removed already or not made it to my local AppStore yet?
    • by xwin ( 848234 )
      I dont know how is this "insightful". There is only one Microsoft Authenticatior in the Android store. I just did a search on the web and and in on my phone. On the web it came up first and on my phone second. If you have more than one brain cell you can find that the app is offered by Microsoft Corporation and that is the real one.
      Slashdot moderation is deteriorated to the point of being useless.
      • Search for just Authenticator. Typing on a touch screen sucks so you don't want to type more than necessary and omitting the word Microsoft is common.

  • by derplord ( 7203610 ) on Thursday February 08, 2024 @03:16PM (#64225596)

    Can't find it, either it was removed or the story is bogus.

    • Re:Not there. (Score:4, Insightful)

      by ukoda ( 537183 ) on Thursday February 08, 2024 @03:28PM (#64225624) Homepage
      You are forgetting that malware on their app store is meant to be impossible according to Apple. So the moment something like this hits the press Apple will pull it and pretend it never existed.
      • They did something similar with viruses. Still do.

      • You are forgetting that malware on their app store is meant to be impossible according to Apple. So the moment something like this hits the press Apple will pull it and pretend it never existed.

        Show me where Apple ever claimed that "malware on their app store is meant to be impossible".

        I'll wait.

        • by ukoda ( 537183 )
          First Google result https://www.apple.com/nz/app-s... [apple.com] "The apps you love. From a place you can trust." in a huge font. It also says "We ensure that apps come from known sources, are free of known malware". It does not say "probably free of known malware" or "believed to be free of known malware". It clearly says "are free of known malware"

          I got my first iPhone in 2007 when there was no app store. Apple said you couldn't load apps on you own phone because they could have malware and the only way to b
          • There is nothing in the article about this being / containing known malware. A password app can be quite a simple piece of tech. The fact that it mimicked known application might just be for visibility (halo effect) and not nefarious intent. But it was taken down for the right reason.
  • I fed that name to my Search Engine and it seems there was a figure in the Harry Potter books called Parvati Patil. Unfortunate, I thought there was a British politician with that name.

    • Priti Patel. With a name like Vlad you're bound to get along.
      (Context [youtube.com])
      • Yeah, I worked that out about 15 minutes after posting.
        From memory, she was sacked by Teresa May for being an embarrassment to her government (standards have dropped since), reappointed by The Boris or the Lettuce (standards . . .) and was then swept out when that one was forced to resign. The last I read, she was trying to position herself as a sane alternative to Suella Braverman.

  • so why can't lasspass have it own app download page with an file you can install on your own phone?

    At least that way I know I'm getting it from the source

  • Is that Apple can pretty much cancel this, not just preventing future downloads, but I think they also have mechanisms to revoke existing downloads (developer certificate revokation, I think.) Now Apple should explain how this got through their curation, which is part of how they earn their fee.

    • Now Apple should explain how this got through their curation, which is part of how they earn their fee.

      Except we all know that will never, ever happen, because they have never, ever done that in the past in such (and similar) occasions.

    • by dgatwood ( 11270 )

      Is that Apple can pretty much cancel this, not just preventing future downloads, but I think they also have mechanisms to revoke existing downloads (developer certificate revokation, I think.) Now Apple should explain how this got through their curation, which is part of how they earn their fee.

      Ah, silly user. Curation isn't to protect users. It's to limit how developers can profit without Apple taking a cut. External payments? Nope. Links to websites with external payments? Only with permission, and there can be only one. But a completely fraudulent app that appears to work while actually sending all your passwords to some server in a country with weak extradition treaties? No problem.

      The only cure for this sort of behavior is training users to use common sense and to look at the ratings

      • by PPH ( 736903 )

        Think about how hard it would be for somebody to fake enough of LastPass's website to fool anyone

        Just fake the top page and download link. Link the rest of the fake site to the actual LastPass content.

    • Yeah, they can yank and revoke the app, but do you think Apple will send out a notification to everyone who downloaded the app to let them know that any passwords they provided to the app are now compromised? Didn't think so. Say what you will about Microsoft, but Windows at least tells you when you've been pwned and Microsoft's not-so-great excuse for an antivirus program actually manages to do its job. Apple, on the other hand is all like, "What malware? You didn't see anything, please carry on."

      It's

      • What is even worse is apples superfans will defend and applaud this lack of transparency
      • The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.

        From one of Hitchhiker's Guide to the Galaxy books.

    • by ThosLives ( 686517 ) on Thursday February 08, 2024 @03:57PM (#64225694) Journal

      Don't forget we're now in the Brave New World where you can't even trust screenshots on the internet, or videos, or even phone calls, because there is a substantial probability they are generated, not recorded or an actual person on the other end of the comms link.

    • Sounds like someone who hasn't heard of Android Play Protect, which is on by default and can do exactly the same thing EVEN WHEN APPS WERE SIDE LOADED.

      Before you criticize a thing you should know something about it. I use an iPhone at work so I know exactly how crap it is compared to my Moto phone. The only thing better about it is the camera, but my camera is totally adequate for snapshots and document captures, and I have a DSLR for when I want a good photo.

    • by gweihir ( 88907 )

      Actually, Apples should be legally liable for any and all damage this does.

  • by NoMoreDupes ( 8410441 ) on Thursday February 08, 2024 @03:40PM (#64225660)

    Way to earn that $99/yr dev fee + 30% appstore sales "Apple Tax" extortion!

  • So, it can be pulled.

"Ask not what A Group of Employees can do for you. But ask what can All Employees do for A Group of Employees." -- Mike Dennison

Working...