Fake LastPass Gets Vetted by App Store

A fake app pretending to be from password manager LastPass not only made it into the Apple App Store but had a five star rating. It's arguably among the worst possible types of bogus app to bypass Apple's usually strict vetting process.

LastPass is one of the best known password manager tools. It lets users store their passwords in an encrypted vault, accessible only with a master password. The service can also generate secure passwords. The company's name is based on the idea that the master password is the last password the user will ever need to create or remember.

The big catch, of course, is that the user needs to protect this master password at all costs. Were scammers able to get hold of the password, they'd be a step closer to getting access to all the user's stored passwords, though they'd still usually have to bypass two factor authentication.

Not even LastPass has a copy of this password, so tricking the user into revealing it would be the only way to get it. That's almost certainly the goal of the creator of the fake app, which was simply called "LastPass Password Manager", though the developer was listed as Parvati Patel rather than LastPass.

Immediate Action

The real LastPass did not hang about once they became aware of the fake app, telling The Register that it "immediately began a coordinated and multi-faceted approach across our threat intelligence, legal and engineering teams to get the fraudulent app removed." That's now happened, though Apple has yet to publicly comment on the incident. (Source: theregister.com)

Not only should several inconsistencies in the fake app have triggered suspicion during the vetting process, but it's arguably reviewers should have been extra cautious given the extremely sensitive nature of a password manager app.

Fake Five Stars

The scam also raised some questions about the Apple App Store's rating system. It had five ratings, one of five stars and four with a one-star rating and a warning that it was a scam. However, the average rating showed as five stars.

The good news is there's no sign yet that the fake app did successfully collect any master passwords. However, it is possible users submitted other sensitive information such as login details for other websites or card numbers. (Source: arstechnica.com)

What's Your Opinion?

Are you surprised such a fake app got past Apple's checks? Do you take any steps to check an app is legitimate before installing it? Do you trust password managers overall?