LastPass, the password management app serving more than 33 million users, recently warned iOS users about a fake version of its app, which managed to scale through the security review process on the Apple App Store. The fake version mirrored the original logo and dropped a letter from the name to arrive at LassPass.
Parvati Patel created the LassPass on the Apple App Store. They most likely created the app to steal credentials from unsuspecting people who may be looking for a digital password manager. They aimed to get many people to download the fake version of the app and transfer their ID numbers, passwords, and crypto seed phrases into it, allowing the threat actors behind the app to get into the victims’ accounts and steal their money and identities.
It’s unclear how many people (if any) fell for the fake LastPass app.
Typosquatting and How To Avoid It
The LassPass phishing attempt is a new take at an old trick known as “typosquatting.” It involves cybercriminals luring people to fake sites by misspelling the original name of a popular site in the hopes that the potential victims will not notice the difference before handing over sensitive information.
The app version of this trick is slightly different because the threat actor is banking on the victims not being able to differentiate between the original app and the fake one.
You can avoid becoming a victim of typosquatting or cloning in mobile app stores by doing the following:
- Click the app URL on the original author’s website. LastPass has links to the original app on their website. Clicking on it instead of trying to find the app yourself on the app store will help you not be a victim to the phishing attack.
- Pay more attention to social proof. LastPass is a company with millions of users. You should be able to differentiate the original app from the fake LassPass on the Apple App Store by looking at metrics like date added, number of downloads, version history, reviews, and more. Don’t download the app if anything looks off.
- Check the app details. Threat actors always make obvious errors in the attempt to game the security checks on the various app stores. A typo, incomplete app description, grammatical blunders, and failure to use a business name as the app developer are dead giveaways of the scam.
Should Users Expect Another LassPass on the Apple App Store?
Apple boasts a robust security review system for weeding out fake and malware-ridden apps on their app store. Thus, the latest breach raised many eyebrows. It’s still unclear how LassPass got on the Apple App Store, but we’ll likely see another attempt like this.
Future threat actors might not clone LastPass again. Still, they may attempt to piggyback off the popularity of the thousands of other apps trusted by millions of users around the globe. Make sure to proceed with caution if anything seems out of the ordinary.
