LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials.
The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface made to appear close to the brand's authentic design.
The fake app's name is 'LassPass,' instead of 'LastPass,' and it has a publisher of 'Parvati Patel.
There's only a single rating, with only four reviews that warn about it being fake.
As LastPass is used to store very sensitive information, such as authentication secrets and credentials, the app was likely created to act as a phishing app and steal credentials.
BleepingComputer has not tested the app, so we are not familiar with its inner workings, potential phishing process, or any other details about its functionality.
The real LastPass warned about the existence of the clone app via an alert on its website to raise customers' attention to the risk of data loss.
The inclusion of such an obviously fraudulent app on the Apple App Store is a very rare case, thanks to the company's stringent app review process, which ensures that software in the App Store meets high standards for privacy, security, and content.
This process includes automated checks and manual review by Apple's team to ensure adherence to a detailed set of guidelines that developers must follow.
When Apple becomes aware of an app that violates its guidelines, it typically acts quickly to remove it from the App Store and ban the developer.
The fake LastPass remains available on the Apple App Store at the time of this story's publication.
The same developer has another app on the App Store that seems legitimate, so the possibility of their account having been hijacked by malicious actors cannot be ruled out.
If you have installed the fake LastPass app, you should immediately remove it and change your password at lastpass.com.
It is then advised to perform the arduous task of resetting all passwords stored in your LastPass vault to be safe.
BleepingComputer reached out to Apple about the fake LastPass app, but a response was not immediately available.
CISA warns of patched iPhone kernel bug now exploited in attacks.
iPhone apps abuse iOS push notifications to collect user data.
Apple fixes first zero-day bug exploited in attacks this year.
iShutdown scripts can help detect iOS spyware on your iPhone.
iPhone Triangulation attack abused undocumented hardware feature.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 08 Feb 2024 17:05:30 +0000