[HN Gopher] Fake LastPass password manager spotted on Apple's Ap...
___________________________________________________________________
Fake LastPass password manager spotted on Apple's App Store
Author : chromate
Score : 49 points
Date : 2024-02-08 17:24 UTC (5 hours ago)
(HTM) web link (www.bleepingcomputer.com)
(TXT) w3m dump (www.bleepingcomputer.com)
| fsniper wrote:
| Isn't this the "App Store" that they are gate keeping for this
| kinds of threats?
| chrisjj wrote:
| Perhaps the Store found no threat?
|
| Do note that this article fails to actually identify any threat
| here.
| tailspin2019 wrote:
| It's not difficult to imagine possible threats just by
| looking at the comparison screenshots alone:
|
| https://blog.lastpass.com/2024/02/warning-fraudulent-app-
| imp...
| chrisjj wrote:
| App Store does not ban an app for threats imagined from
| viewing a competitor's screenshots.
| lapcat wrote:
| Apple has removed the app from the store:
| https://techcrunch.com/2024/02/08/a-fake-app-
| masquerading-as...
| chrisjj wrote:
| > Apple has removed the app Fake news. Article does not
| say Apple removed it. On the contrary:
|
| "whether by Apple or the fake app's developer is yet
| unclear -- Apple has not commented."
| Pfhortune wrote:
| > Do note that this article fails to actually identify any
| threat here.
|
| From the article:
|
| > ...the app was likely created to act as a phishing app and
| steal credentials.
|
| > If you have installed the fake LastPass app, you should
| immediately remove it and change your password at
| lastpass.com. It is then advised to perform the arduous task
| of resetting all passwords stored in your LastPass vault to
| be safe.
|
| Though one could argue that they have not _definitively_
| proven that this app is a threat through testing, it really
| is not much of a stretch of the imagination that a LastPass-
| lookalike would be used for phishing. This app is very
| clearly an illegitimate clone.
| chrisjj wrote:
| > ...the app was likely created to act as a phishing app
| and steal credentials.
|
| That a fear, not a threat.
|
| > Though one could argue that they have not _definitively_
| proven that this app is a threat
|
| Why bother arguing that? They haven't claimed any evidence,
| let alone proof.
|
| > it really is not much of a stretch of the imagination
| that a LastPass-lookalike would be used for phishing.
|
| App Store rightly does not ban apps on stretches of
| imagination.
| lapcat wrote:
| > App Store rightly does not ban apps on stretches of
| imagination.
|
| Apple has removed the app:
| https://techcrunch.com/2024/02/08/a-fake-app-
| masquerading-as...
| chrisjj wrote:
| > Apple has removed the app
|
| Fake news. Article does not say Apple removed it. On the
| contrary:
|
| "whether by Apple or the fake app's developer is yet
| unclear -- Apple has not commented."
| lapcat wrote:
| Apple never comments on that, but somehow magically every
| single time a scam app makes the news media, the app
| disappears from the App Store.
| chrisjj wrote:
| [delayed]
| phmqk76 wrote:
| And yet Apple removed it after it was publicized, so...
| sccxy wrote:
| But Apple said their App Store is so safe that you do not need to
| worry about these kind of scams
| sunnybeetroot wrote:
| Safer than allowing unregulated app stores to exist where an
| abundance of fake LastPass apps can be found I imagine.
| mdaniel wrote:
| https://play.google.com/store/search?q=lasspass&c=apps&fpr=f.
| .. shows that Parvati Patel didn't even have the forethought
| to submit to multiple stores, for maximum phishing. Or, from
| Apple's perspective, _worse_ may be that they did submit it
| and Google either caught it or its review cycle is so
| hopelessly borked it didn 't outrun the news coverage. Hard
| to tell who is the most facepalm of all these actors
| function_seven wrote:
| In the unregulated scenario, you at least know the score. In
| the current scenario, you have a false sense of security that
| this must be the real deal, because Apple reviews the app
| submissions.
| tailspin2019 wrote:
| How, in the utter fuck, does this get past app review?
|
| It's not like it's an edge case either, there are hundreds of
| apps with obviously and blatantly misleading logos, brands, names
| etc. Just see ChatGPT / OpenAi for example.
|
| I have taken to sharing direct links to Apps in the app store now
| when recommending things to non-technical friends/family, because
| I've lost all confidence that they will find the "correct" app
| anymore just by searching, and not one of hundreds of highly
| dubious clone apps.
|
| Difficult to argue against the recent actions of the EU when the
| supposed benefits of the walled garden are crumbling anyway...
| mdaniel wrote:
| Also, I somehow got the impression that one needed to provide
| Apple with live credentials to exercise any cloud service that
| the app fronts; so that makes me wonder if the malicious actor
| bought a LastPass subscription just to allow Apple to phish
| themselves?
| euroderf wrote:
| Does not the word review in sentence one needs irony quotes.
| sccxy wrote:
| Yeah, and my app got rejected because it links to other
| webpage...
| chrisjj wrote:
| > LastPass is warning that a fake copy of its app is being
| distributed on the Apple App Store
|
| Fake news. LastPass's warning does not claim the other app is a
| fake copy.
| Pfhortune wrote:
| https://blog.lastpass.com/2024/02/warning-fraudulent-app-imp...
|
| > LastPass would like to alert our customers to a fraudulent
| app attempting to impersonate our LastPass app on the Apple App
| Store. The app in question is called "LassPass Password
| Manager" and lists Parvati Patel as the developer.
| chrisjj wrote:
| Yup. No fake copy claim there.
|
| And the claim of fraud is unsubstantiated.
| lcnPylGDnU4H9OF wrote:
| > No fake copy claim there.
|
| What would you consider to be such a claim? The part they
| quote seems to explicitly call out the other app as being a
| fake copy when they call it "a fraudulent app attempting to
| impersonate our LastPass app".
|
| > And the claim of fraud is unsubstantiated.
|
| You seem to be asserting that there is no such claim. What
| are you trying to say?
| chrisjj wrote:
| [delayed]
| chrisjj wrote:
| >> close examination of the posted screenshots reveal
| misspellings and other indicators the app is fraudulent
|
| Misspellings indicate fraud?? Good grief.
| lapcat wrote:
| The App Store description said, "Trusted by over 1+ million
| users and 10,000+ businesses". That's fraud.
| chrisjj wrote:
| No, that's at most just deception.
|
| Check the meaning of fraud in the dictionary, please.
| lapcat wrote:
| I did. Maybe you should too. Although the dictionary is not
| actually a legal authority.
| phmqk76 wrote:
| Fraud is a misrepresentation to induce reliance in another.
| This statement absolutely qualifies. Duh.
| phmqk76 wrote:
| Apple: Our devices must remain walled gardens so only the highest
| quality, legitimate apps are able to be installed. And we require
| a 30% rent on every transaction for the purpose of maintaining
| the integrity of our garden.
|
| Also Apple: _Lets in thousands of scam apps as a matter of
| course_
___________________________________________________________________
(page generated 2024-02-08 23:02 UTC)