Some Apps Come Loaded With Malware

The British government conducted a review into the app store ecosystem from December 2020 to March 2022 which found that malicious and poorly developed apps continue to be accessible to users - clear evidence that some developers are not following best practice when creating apps. 

Now, a new UK Report by the National Cyber Security Centre (NCSC) has warned of the threats posed by malicious apps and is asking the IT sector to address the security problems in app stores used by millions of customers.

“Over the last decade there has been an enormous increase in the availability and use of smartphones and smart devices... Many of these devices feature application stores 'app stores', which allow users to download additional applications and content. The vast majority of users, particularly on mobile platforms, download apps via these app stores,” says the NCSC  Report.

All app stores share a common threat profile with malware contained within apps the most prevalent risk. Additionally, prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.

While most people will be familiar with apps downloaded on to smartphones, devices from smart TVs to smart speakers now also have them. The UK Government is discussing new guidelines on security and privacy for apps and app stores. 

  • The British government survey found that Android phone users downloaded apps which contained the Triada and Escobar malware from various third-party app stores. "This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said. 
  • The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (Internet of Things) devices".

The NCSC report an example of a security company demonstrating how it can build a threatening app for a popular tracker from a fitness firm, that could be downloaded from a link using the company's web address to seem legitimate. The app contained "spyware/stalkerware capable of stealing everything from location and personal body data".

The NCSC report noted that the appetite for apps had grown during the pandemic, with the UK app market  worth £18.6bn ($23.2bn).

The NCSC reinforces the government proposals to ask app stores to commit to a new code of practice setting out minimum security and privacy requirements. "Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government said. 

A proposed code of practice would require stores to set up processes so that security flaws can be found and fixed more quickly. App stores for smartphones, games consoles, TVs and other smart devices could be required comply with a new code of practice setting out baseline security and privacy requirements. 

They would need to share more security and privacy information in an accessible way, including why an app needs access to a user’s contacts and location. 

NCSC:      Gov.UK:         BBC:       Silicon:      Computer Weekly:   

You Might Also Read: 

Mobile Cyber Attacks: The Different Facets Of Smartphone Malware:

 

« The Cyber Security Investment Boom Continues
Wanted: Access To Social Media Data »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ACME Communications

ACME Communications

ACME Communications specialises in the field of data centre, implementation, maintenance & operation and all aspects of other IT service.

Trustwave

Trustwave

Trustwave is a leader in managed detection and response (MDR), managed security services (MSS), consulting and professional services, database security, and email security.

Garrison Technology

Garrison Technology

Garrison SAVI® is a unique technology for secure remote browsing that can dramatically change the risk profile for enterprise cyber security.

Fortra

Fortra

Fortra (formerly HelpSystems) is your cybersecurity ally, unified through the mission of providing solutions to organizations' seemingly unsolvable cybersecurity problems.

FileWave

FileWave

FileWave offers a single solution for managing apps, devices, and more for Mac, Windows, and mobile devices.

ThirdWatch

ThirdWatch

ThirdWatch is a Data Science company with real-time automated fraud prevention solutions.

Morphus Information Security

Morphus Information Security

Morphus is an information security company providing Red Team, Blue Team and GRC services as well as conducting research in cybersecurity and threat analysis.

Evanston Technology Partners (ETP)

Evanston Technology Partners (ETP)

ETP provides services and solutions to enable and transform businesses in the areas of cybersecurity, data protection, and efficient operations practices.

QuillAudits

QuillAudits

QuillAudits offers advanced Ethereum, EOS, TRON smart contract audit, blockchain protocol security and formal verification to ensure your platform’s integrity.

Neovera

Neovera

Neovera is a trusted provider of managed services including cyber security and enterprise cloud solutions, committed to delivering results through the innovative use of scalable enterprise-grade tech.

Hex-Rays

Hex-Rays

Founded in 2005, privately held, Belgium based, Hex-Rays SA focuses on the development of fast, stable, and robust binary analysis tools for the IT security market.

Integris

Integris

Integris offers best-in-class services like dedicated vCIOs, specialized security and compliance advisory services, a 24/7 help desk, and more.

Custodia Continuity

Custodia Continuity

Custodia Continuity manage your Security, Backup, Continuity and Compliance. You get on with your business.

inSOC

inSOC

inSOC is an enterprise-grade AI-driven SOCaaS solution detecting breaches 24/7 with vulnerability management built-in. Designed for MSPs and MSSPs.

Cyber Security Global

Cyber Security Global

Cyber Security Global is a leader in electronic security, consultancy, technology, cybersecurity solutions, training, and specialized products.

Tech Data

Tech Data

Tech Data, a TD Synnex company, is a leading global distributor and solutions aggregator for the IT ecosystem.