LastPass warns of imposter app in Apple’s App Store

9 Feb 2024

Image: © dacianlogan/Stock.adobe.com

The password manager said the fraudulent app attempts to copy the company’s branding and user interface in order to trick users.

LastPass, the app used by more than 30m users to store their passwords, is warning of a fake version of its app in the Apple App Store.

The company issued an alert to its customers about the impersonating app, which copies LastPass’s branding and logo but is actually called ‘LassPass Password Manager’ and lists Parvati Patel as the developer.

“We are raising this to our customers’ attention to avoid potential confusion and/or loss of personal data,” the company said on its website.

“Rest assured, LastPass is actively working to get this application taken down as soon as possible and will continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property.”

As a password management application, the data entered into LastPass’s app is extremely sensitive. Obtaining these details via a fraudulent app could be used to steal credentials.

Such imposter apps rely on users speedily downloading apps with familiar branding and names that, upon first look, appear to be the company name they were looking for.

However, closer inspection will show that the name and branding are not correct and that this particular imposter app only has one rating, while the real LastPass app has more than 52,000 App Store ratings.

A screenshot of the fraudulent app pretending to be LassPass.

The imposter app, named LassPass.

An app screenshot of the real LastPass.

The real LastPass interface.

In 2022, LastPass suffered a data breach that saw customer data stolen from the company’s cloud storage. The company said the threat actor was able to decrypt the information it had stolen by targeting a DevOps engineer.

However, while sensitive data was stolen, the company said that the data was encrypted and it would be very difficult for the threat actor to attempt “brute force” to guess master passwords.

When LastPass confirmed the breach in December 2022, CEO Karim Toubba said there was “no evidence that any unencrypted credit card data was accessed.”

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Jenny Darmody is the editor of Silicon Republic

editorial@siliconrepublic.com