Fake LastPass Password Manager Spotted on Apple's App Store (bleepingcomputer.com) 42
LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. From a report: The fake app
uses a similar name to the genuine app, a similar icon, and a red-themed interface made to appear close to the brand's authentic design. However, the fake app's name is 'LassPass,' instead of 'LastPass,' and it has a publisher of 'Parvati Patel.' In addition, there's only a single rating (the real app has over 52 thousand), with only four reviews that warn about it being fake.
Not surprising (Score:4, Insightful)
No limit on how evil and creative the scammers can get.
Also realize that if you want the Microsoft Authenticator app on Android there's now a massive number of them and it's almost to the level that you have to take your chances.
Re:Not surprising (Score:4, Interesting)
I'm just staying with Keepass, it's done everything that I needed and almost nothing I don't for 15 or more years and I've convinced two of my former employers to standardize on it. I don't give a rip if it doesn't work on an iToy, I wouldn't want one anyway.
Re: (Score:3)
On PC I can see all processes and can also use second factor for Keepass (a key file on the USB) which I can disconnect when I am not there. Even if a da
Re: Not surprising (Score:1)
Re: Not surprising (Score:1)
Surprising and Unacceptable. (Score:2)
No limit on how evil and creative the scammers can get.
There’s apparently no limit on the amount of incompetence either.
Apple accepts a security-centric app from a major vendor and charges the infamous 30% Apple Store tax for it, and then does nothing to protect the integrity of that security-centric app (or any other app for that matter) by allowing a scammer to pose as a major vendor and push a fake security-centric app behind the “walled garden”?
FUCK accepting that nonsense. If the world is going to be reduced to a handful of “approv
Re: Surprising and Unacceptable. (Score:1)
That's where the whole thing goes to hell, isn't it? Apple claims their app store keeps you safe, apple users claim the same thing, but apple does nothing at all to prevent malware from reaching the store, and thus customer devices. And since customers think that they do, they tend to trust anything in the app store. Apple's promises lead to a false sense of security by design.
Re: (Score:2)
It's unfair to say that Apple does _nothing_ to prevent malware reaching their store, but they certainly do slip up and let some through. Needless to say, whoever approved that particular app is going to be in hot water.
https://techcrunch.com/2023/05... [techcrunch.com]
As you say, you shouldn't completely trust Apple and their store. Employ a little scepticism, and don't expect that Apple will be 100% effective in blocking bad apps. It only makes sense that they can't.
Re: (Score:2)
It's unfair to say that Apple does _nothing_ to prevent malware reaching their store, but they certainly do slip up and let some through. Needless to say, whoever approved that particular app is going to be in hot water.
What, you mean they’ll be in hot water because it should have been trivially easy to categorize certain apps (like security-centric ones), and apply additional policy and procedure to ensure integrity? Could have been as simple as someone picking up the phone and calling a rep from LastPass themselves to validate. LastPass isn’t exactly some obscure unknown.
https://techcrunch.com/2023/05... [techcrunch.com]
As you say, you shouldn't completely trust Apple and their store. Employ a little scepticism, and don't expect that Apple will be 100% effective in blocking bad apps. It only makes sense that they can't.
Given the sheer size and financial capabilities to create an entire division dedicated to the integrity of the largest or one of the large
Re: (Score:2)
Look, I get where you're coming from, but you have to remember that organisations, like soylent green, are people.
It just takes one person that doesn't know anything about LastPass to look at the app, do some standard checking, and then be convinced that the app appears to do exactly what it says it does, and approve
Re: Surprising and Unacceptable. (Score:1)
Re: (Score:2)
Slashdot moderation is deteriorated to the point of being useless.
Re: Not surprising (Score:2)
Search for just Authenticator. Typing on a touch screen sucks so you don't want to type more than necessary and omitting the word Microsoft is common.
Not there. (Score:3)
Can't find it, either it was removed or the story is bogus.
Re:Not there. (Score:4, Insightful)
Re: (Score:1)
They did something similar with viruses. Still do.
Re: (Score:2)
You are forgetting that malware on their app store is meant to be impossible according to Apple. So the moment something like this hits the press Apple will pull it and pretend it never existed.
Show me where Apple ever claimed that "malware on their app store is meant to be impossible".
I'll wait.
Re: (Score:2)
I got my first iPhone in 2007 when there was no app store. Apple said you couldn't load apps on you own phone because they could have malware and the only way to b
Re: Not there. (Score:1)
Parvati Patel? (Score:2)
I fed that name to my Search Engine and it seems there was a figure in the Harry Potter books called Parvati Patil. Unfortunate, I thought there was a British politician with that name.
Re: (Score:2)
(Context [youtube.com])
Re: (Score:2)
Yeah, I worked that out about 15 minutes after posting. .) and was then swept out when that one was forced to resign. The last I read, she was trying to position herself as a sane alternative to Suella Braverman.
From memory, she was sacked by Teresa May for being an embarrassment to her government (standards have dropped since), reappointed by The Boris or the Lettuce (standards . .
so why can't lasspass have it own app download pag (Score:2)
so why can't lasspass have it own app download page with an file you can install on your own phone?
At least that way I know I'm getting it from the source
Advantage of Apple's walled garden (Score:2)
Is that Apple can pretty much cancel this, not just preventing future downloads, but I think they also have mechanisms to revoke existing downloads (developer certificate revokation, I think.) Now Apple should explain how this got through their curation, which is part of how they earn their fee.
Re: (Score:2)
Now Apple should explain how this got through their curation, which is part of how they earn their fee.
Except we all know that will never, ever happen, because they have never, ever done that in the past in such (and similar) occasions.
Re: (Score:2)
Is that Apple can pretty much cancel this, not just preventing future downloads, but I think they also have mechanisms to revoke existing downloads (developer certificate revokation, I think.) Now Apple should explain how this got through their curation, which is part of how they earn their fee.
Ah, silly user. Curation isn't to protect users. It's to limit how developers can profit without Apple taking a cut. External payments? Nope. Links to websites with external payments? Only with permission, and there can be only one. But a completely fraudulent app that appears to work while actually sending all your passwords to some server in a country with weak extradition treaties? No problem.
The only cure for this sort of behavior is training users to use common sense and to look at the ratings
Re: (Score:2)
Think about how hard it would be for somebody to fake enough of LastPass's website to fool anyone into installing their fake iOS app. Wouldn't happen. This attack vector quite literally exists because of the curated centralized store architecture. It is a problem entirely of Apple's own making.
Wouldn't happen? It was only like four months ago it happened with another password manager. https://www.bleepingcomputer.c... [bleepingcomputer.com]
Ah, but I said LastPass, not KeePass. KeePass has a website that looks like it was designed in 1995, and a download page to match. There's no login system with web-based access to your existing passwords, customer service portals, etc. Try it again with LastPass's website. When users go there and it doesn't auto-fill their password, it's gonna raise red flags pretty much instantly. And if they install the app and find that they can't see their existing LastPass passwords, once again. These things at l
Re: (Score:2)
Think about how hard it would be for somebody to fake enough of LastPass's website to fool anyone
Just fake the top page and download link. Link the rest of the fake site to the actual LastPass content.
Re: (Score:3)
Yeah, they can yank and revoke the app, but do you think Apple will send out a notification to everyone who downloaded the app to let them know that any passwords they provided to the app are now compromised? Didn't think so. Say what you will about Microsoft, but Windows at least tells you when you've been pwned and Microsoft's not-so-great excuse for an antivirus program actually manages to do its job. Apple, on the other hand is all like, "What malware? You didn't see anything, please carry on."
It's
Re: (Score:1)
Re: (Score:2)
The major difference between a thing that might go wrong and a thing that cannot possibly go wrong is that when a thing that cannot possibly go wrong goes wrong it usually turns out to be impossible to get at or repair.
From one of Hitchhiker's Guide to the Galaxy books.
Re:Advantage of Apple's walled garden (Score:4, Informative)
Don't forget we're now in the Brave New World where you can't even trust screenshots on the internet, or videos, or even phone calls, because there is a substantial probability they are generated, not recorded or an actual person on the other end of the comms link.
Re: Advantage of Apple's walled garden (Score:2)
Sounds like someone who hasn't heard of Android Play Protect, which is on by default and can do exactly the same thing EVEN WHEN APPS WERE SIDE LOADED.
Before you criticize a thing you should know something about it. I use an iPhone at work so I know exactly how crap it is compared to my Moto phone. The only thing better about it is the camera, but my camera is totally adequate for snapshots and document captures, and I have a DSLR for when I want a good photo.
Re: (Score:2)
Actually, Apples should be legally liable for any and all damage this does.
Great job, Tim Apple! (Score:4, Insightful)
Way to earn that $99/yr dev fee + 30% appstore sales "Apple Tax" extortion!
Re: LLL (Score:1)
So, report it! (Score:2)
So, it can be pulled.