Apple approved a fake ‘LastPass Password Manager’ app for the App Store

Apple’s App Store review team is notoriously fickle about the software it approves for sale. Some companies have found themselves needing to tweak, change, or even totally remove certain features in order for their app to make it through the process.

Yet, somehow, a fake LastPass app made it past this very review team. Even worse, the fraudulent version of LastPass was available for weeks before it was eventually taken down, and only after it was noticed by the LastPass team themselves.

“LastPass would like to alert our customers to a fraudulent app attempting to impersonate our LastPass app on the Apple App Store,” LastPass wrote on its company website on Wednesday. 

The statement points out that the imposter pretending to be the official LastPass app listed an individual by the name of “Parvati Patel” as its developer, instead of LastPass parent company, LogMeIn.

“The app attempts to copy our branding and user interface, though close examination of the posted screenshots reveal misspellings and other indicators the app is fraudulent,” LastPass pointed out. Most notably, the fake LastPass app is listed as “LassPass Password Manager” — note the “Lass” in place of “Last.”

According to TechCrunch, the LastPass team reached out to Apple to find out more about how “LassPass” survived the iPhone-maker’s usually stringent App Store review process. While Apple has not provided any information publicly on this matter, the company has since removed “LassPass Password Manager” from the App Store.

It’s unclear, at least for the moment, how many people fell for this scam, just as it’s not yet confirmed that the fake app was a phishing attempt, though that would be the most obvious reason to masquerade as a password manager app.

An ironic time for an App Store misstep

Recently, Apple’s app distribution policies have been headline news following the company’s release of new rules created in response to the EU’s Digital Markets Act (DMA). This new regulation was instituted in order to loosen Apple’s control over how third-party apps are distributed on iPhones, allowing users to download apps on alternative marketplaces that are not bound by Apple’s App Store content rules or revenue share policies.

In response, Apple engaged in what one critic called “malicious compliance,” formulating new, DMA-compliant policies for these alternative marketplaces and the apps distributed on them, including scenarios in which developers potentially pay Apple more than they would have if they just released their apps through the official App Store. Apple’s move was roundly condemned by developers big and small. CEOs from companies like Xbox, Epic Games, Spotify, and even Meta’s Mark Zuckerberg criticized Apple, accusing the company of trying to profit off the DMA.

Why this so-called act of “malicious compliance”? That’s the ironic part. The iPhone-maker had opposed the DMA in the first place, taking the position that its walled-garden approach with the App Store keeps consumers safe from bad actors. As TechCrunch highlights, Apple even wrote as such in its own post about its new DMA compliant rules.

“The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats,” Apple said in its Jan. 25 blog post. And yet, at the time Apple released that statement, “LassPass Password Manager” was already available for download in the official App Store, having been approved four days earlier.