LastPass has alerted users to the existence of a phony version of its app, dubbed “LassPass Password Manager [sic.],” on the Apple program Store.
According to the password manager provider, Parvati Patel is described as the developer of the phony program, which imitates the companies’ branding and user interface. The parent firm of LastPass, “LogMeIn Inc.” is the true developer of the program.
LastPass asserts that it “is actively working to get this application taken down as soon as possible, and will continue to monitor for fraudulent clones of our applications and/or infringements upon our intellectual property.”
More trouble
This is not the first security incident to affect LastPass. In October 2022, it infamously suffered a series of breaches which resulted in users’ password vaults being stolen by threat actors. However, the vaults remained encrypted, so the hackers could only access the stored credentials if they guessed or cracked the master passwords securing the vaults.
There was still some fallout linked to the breaches, however, including a crypto-stealing scam that was thought to have made use of stolen LastPass accounts. The hackers in this case may have been able to crack the master passwords securing users’ vaults, especially if the passwords were weak and easy to guess, or had been reused from other accounts that were found in previous data breaches.
It is not often fraudulent apps of such a high profile are found in Apple‘s app store, given the stringent controls the tech giant places on it. Google’s Play Store, on the other hand, frequently sees fake and malicious apps uploaded to its platform.
Recently, six malicious Android apps were found on the store that were pretending to be chat apps, but actually contained info-stealing malware that could swipe contacts, call logs, and SMS messages.
On its blog post, LastPass has provided the URLs for both the fake and legitimate versions of the app on the App Store, “so that customers can verify they are downloading the correct LastPass application for themselves until the fraudulent app is taken down.”
