LastPass says a rogue application impersonating its popular password manager made it past Apple's gatekeepers and was listed in the iOS App Store for unsuspecting folks to download and install.
A screenshot of the fake LastPass app in the Apple App store.
Note the misspellings, incorrect developer name and single rating ... Click to enlarge.
Cupertino may have been on the case but earlier today the app was still available in the store.
El Reg asked Apple why the fake LastPass app was still up, and while we didn't receive a response, the app's URL stopped working and the application disappeared from App Store search results on an iPhone within a few minutes of our email.
Apps of questionable value aside, Apple has a reputation for being a relatively safe place for the average iPerson to get their software, with a notoriously tough app approval process standing between developers and users.
Apple even updated its developer agreement and review guidelines last year to add a specific prohibition on apps that impersonate others.
The design section of the app review guidelines even calls out developers who take such an approach, though it's more concerned with laziness than maliciousness.
Of course, the system isn't perfect, and the occasional weed gets through the wall and into the garden.
LastPass' impersonator isn't the first, though it is a particularly egregious case.
While it's understandable some questionable IP theft could occur on the App Store on occasion, this is a total impersonation of a well-known brand.
We'd love to know how this blunder happened, though we're unlikely to get an answer.
Even with its insistence that opening the App Store to competition would lead to greater threats to user safety, Apple's content rules still aren't completely solid.
While we're confident that our readers know well how to spot a fake app from a real one, it's worth reminding everyone how to avoid being tricked into downloading a fake - and this fake LastPass app is rife with examples.
There's the obvious signs, like misspellings in app descriptions or in screenshots.
Other apps from big providers should likewise match the actual company behind the product.
The fake LastPass app also only showed itself as having a single five-star rating, while the real LastPass app has some 52k reviews.
A legitimate app is unlikely please everyone, either, and LastPass is no different - the real app is rated 4.4 out of five stars.
Four one-star reviews on the fake LastPass app that didn't seem to affect its overall score came from users warning that it was a scam, so there's two lessons to learn here: Pay attention to the number of reviews on a supposedly legitimate app, and give them a read, too.
Along with those elements, look at the age of the app, and also take a look at the app privacy report baked into every page in the App Store - if an app doesn't seem like it needs to link certain types of data to you, then skip it - even if legit the developer might be selling your data.
This Cyber News was published on go.theregister.com. Publication date: Thu, 08 Feb 2024 22:43:03 +0000