LastPass Rip-Off Named ‘LassPass’ Made It Into the App Store

Mike Kosak, writing for the LastPass company blog:

LastPass would like to alert our customers to a fraudulent app attempting to impersonate our LastPass app on the Apple App Store. The app in question is called “LassPass Password Manager” and lists Parvati Patel as the developer. The app attempts to copy our branding and user interface, though close examination of the posted screenshots reveal misspellings and other indicators the app is fraudulent.

“LassPass” sounds like a Scottish dating app.

I was able to install LassPass earlier today, before Apple removed it. I think it’s just a blatant brand rip-off, not an attempt to phish the credentials from actual LastPass customers. The app itself doesn’t look like LastPass, and never prompts you to log into an existing LastPass account. Instead, the scam LassPass app tries to steer you to creating a “pro” account subscription for $2/month, $10/year, or a $50 lifetime purchase. Those are actually low prices for a scam app — a lot of scammy apps try to charge like $10/week.

But whatever LassPass is, it obviously shouldn’t have been approved by App Store review. And that leads to a predictable knee-jerk response:

  • “Hagen”: “fake password manager in the app store. isn’t this what the 30% cut is supposed to protect us from?”
  • Emil Protalinski: “I don’t understand. I thought Apple uses the money from its 30% tax to stop phishing apps from getting into its app store?”
  • Mary Branscombe: “if Apple is going to insist that having the only app store on its devices is there to be a security barrier, letting through fake apps doesn’t help with that argument”

Branscombe is correct that even isolated incidents like this hurt Apple’s arguments in favor of App Store exclusivity. But what’s the counterargument? That anything short of 100 percent accuracy at flagging scams and rip-offs renders the entire App Store review process pointless? That if, say, 1 in every 1,000 scam attempts slips through, the entire process should be scrapped? That argument can’t be taken seriously.

Thursday, 8 February 2024