Malware

Apple distributed a fake LastPass Password Manager in the App Store

Posted on by

Apple recently allowed a fake LastPass Password Manager app into the App Store. As of the morning of February 8, Apple has not yet removed the app, even after LastPass itself blogged about it on February 7. Update: Several hours after Intego published this article, Apple finally removed the app from the App Store.

It’s unclear when the fraudulent app first made it into the App Store; if downloaded onto a Mac, the modification dates within the binary suggest it was compiled on January 16. However, users began to notice the rogue app in the App Store on February 4. Two people posted warnings: “This is not the real LastPass” and “Probably a scam to steal passwords.”  Another two reviewers posted similar warnings on February 6.

All four reviewers gave the app 1 star out of 5. Oddly, Apple claims that the app has a “5.0 out of 5” rating with a total of 1 rating.

Does a blatant copycat constitute a legitimate app in Apple’s eyes?

Keen-eyed observers will note that the app’s title is technically “LassPass Password Manager.”  (That’s a double S in the middle of LassPass.) The fake app’s logo uses the same red-and-white color scheme, and features dots and a cursor. Technically, the app isn’t violating LastPass trademarks. But it’s evident that the developer was trying to make it look as close to the real LastPass as possible.

The fake app shows up in search results for LastPass, if you scroll down far enough. But more concerningly, if you mistakenly type LassPass, Apple “helpfully” suggests the fraudulent app’s title to help you find it.

“LassPass” is designed to run on iPhone and iPad. It’s also available in the Mac App Store and can run on Apple silicon-based Macs. And it’s even possible to run the app on Apple Vision Pro.

The fraudulent app even offers in-app purchase subscriptions, including a “lifetime plan” for $49.99. Given that Apple takes a cut of in-app purchase revenue, Apple may have directly profited from distributing “LassPass” in its App Store.

Apple has a major problem over-approving apps in sensitive categories

Given the highly sensitive information that people store in password managers—the virtual keys to one’s digital kingdom—Apple has a moral obligation to more carefully review this category of app in the App Store.

Similarly, Apple has had an ongoing problem with approving financial loan apps that aren’t developed by legally licensed lenders. As we noted in our 2023 Apple malware roundup, one independent researcher singlehandedly found and reported more than 200 fraudulent loan apps to Apple in 2023 alone. These apps may have plausibly garnered hundreds of thousands of cumulative downloads before Apple finally removed them.

Unless Apple begins to face significant public pressure to improve its practices, it’s unlikely that Apple will change. We urge responsible mainstream and tech journalists to join with us in drawing attention to Apple’s consistently bad behavior.

Reminder: we don’t recommend the real LastPass, either

Based on the real LastPass company’s track record, we don’t recommend using it as your password manager. You’re better off using iCloud Keychain, ExpressVPN Keys, or another commercial password manager instead.

Of course, many people still choose to use LastPass, and they should be able to safely download it without encountering unethical apps in the App Store.

Presumably, given enough public pressure, Apple will eventually remove the “LassPass” app from its App Store. This sort of thing has happened beforeseveral times. But it serves as a good reminder that users must be cautious about installing any app—even if Apple has supposedly vetted it. [Update: Apple did remove the app late Thursday, after widespread tech news and social media attention.]

What should I do if I’ve downloaded “LassPass”?

If you installed “LassPass” by mistake, take note of any passwords you may have added to it. Although we haven’t yet confirmed whether the app has data exfiltration functionality, it’s possible that the developer may try to steal your passwords.

So first and foremost: change any passwords you put into LassPass. Also change any similar passwords you may have used elsewhere. (Ideally, you shouldn’t reuse passwords across multiple services or use discernible password patterns.)

Next, uninstall the app. On an iPhone, iPad, or iPod touch, press and hold on an empty area of the Home Screen until the apps start to wiggle, then tap the ⊖ (circled minus symbol) in the top-left corner of the app icon. If you installed the app on your Mac, you can drag it from the Applications folder to the Trash, as with other apps from the Mac App Store.

This may, in a sense, be one of the first bits of malware (or potentially unwanted app, “PUA”) for Apple Vision Pro, since Apple says the app will also run on visionOS. To uninstall an app on Apple Vision Pro, pinch and hold on it, and then tap Remove App.

If you purchased a subscription, follow Apple’s procedure to request a refund.

How can I keep my Mac safe from malware?

Intego X9 software boxesIntego VirusBarrier X9, included with Intego’s Mac Premium Bundle X9, is a powerful solution designed to protect against, detect, and eliminate Mac malware.

If you believe your Mac may be infected, or to prevent future infections, it’s best to use antivirus software from a trusted Mac developer. VirusBarrier is award-winning antivirus software, designed by Mac security experts, that includes real-time protection. It runs natively on both Intel- and Apple silicon-based Macs, and it’s compatible with Apple’s current Mac operating system, macOS Sonoma.

If you use a Windows PC, Intego Antivirus for Windows can keep your computer protected from malware.

How can I learn more?

We’ll discuss “LassPass” on episode 331 of the Intego Mac Podcast; follow the podcast in Apple Podcasts, Spotify, or wherever you prefer to listen to make sure you don’t miss it!

In the meantime, be sure to check out our 2024 Apple malware forecast.

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter/X, LinkedIn, and Mastodon. View all posts by Joshua Long →