When it comes to passwords, one piece of advice we give our readers is to use password managers / vaults to help them maintain, keep track of, and store away account logins that are impossible to recall by memory on a daily basis – for example, Dashline, Keychain, 1Password, and LastPass.
We also advise our readers to download directly from the official websites of these password managers or from highly trusted third-party app markets, such as Google Play, the App Store, and the Chrome Web Store. But even legitimate sites can harbour fake apps, and we’ve seen this happen time and time again. As such, extra care is needed more than ever in weeding out the real ones from the knock-offs. This post is to remind our readers to keep a sharp eye on apps that claim to be the real thing but are actually rogue versions of those they’re imitating.
Recently, we spotted one such app claiming to be LastPass on the Chrome Web Store:
Those with trained eyes can tell that something is already off upon looking at this page. Firstly, this LastPass app seem to rate poorly even if it’s one of the most sought after and popular password vaults on the Web. Secondly, the supposed named developer, AdGetBlock, seem to be the wrong brand to offer such a product.
In case you’re not aware, the real LastPass app is being offered by “lastpass.com” on the Chrome Web Store.
We downloaded and installed the fake LastPass app on Chrome on one of our test machines, and the popup notification states that the app wants to “Display Notifications”.
Once done, we clicked the icon on Chrome’s app page expecting it to execute malicious code, but instead it redirected us to a page on the website:
LASTPASS UNIVERSAL WINDOWS INSTALLER The Universal Windows installer installs browser extensions for Internet Explorer, Firefox, Chrome, Safari, and Opera. It also allows you to create a LastPass account and import your existing passwords. It's the best way to install LastPass on Windows. The 64 bit install includes 32 bit IE installer.
Website redirection is the main purpose of this fake LastPass app. That may be the least straightforward way of doing things, but at the very least we can see that this tactic works.
Moving on, the working download link on the page is the text “Download App”. Hitting that directed us to this page:
LASTPASS UNIVERSAL WINDOWS INSTALLER DOWNLOADING Click here if download doesn't start automatically.
Of course, like most questionable sites, the genuine link can easily be missed in amongst the wealth of download button adverts (in the above case, the link is directly above the central green “Start Download” advert).
Be reminded that this is the kind of deceptive ad placing that Google has been clamping down from the early months of 2016.
Since this download page is the only one that contains ads, we can surmise that this is also an attempt to cash in on clicks and page views.
If users are able to spot the “Click here” link text, they can be assured that a legitimate copy of the LastPass executable is sitting on it. If users click at least two of the big green button ads instead, they are directed to Easy Doc Merge (or EasyDocMerge), an application distributed by Mindspark:
Anyway, clicking the “Free Download” button triggers a prompt to download and install a browser app.
Thankfully, Google has already removed the fake LastPass extension from the Chrome Web Store. As for the websites mentioned on this post, they are now being actively blocked by our product. In addition, our very own Pieter Arntz recently posted a removal guide for Easy Doc Merge that you can check out on this Malwarebytes forum post.
Stay safe, everyone!
Jovi Umawing (Thanks to Chris)