Some Apps Come Loaded With Malware

The British government conducted a review into the app store ecosystem from December 2020 to March 2022 which found that malicious and poorly developed apps continue to be accessible to users - clear evidence that some developers are not following best practice when creating apps. 

Now, a new UK Report by the National Cyber Security Centre (NCSC) has warned of the threats posed by malicious apps and is asking the IT sector to address the security problems in app stores used by millions of customers.

“Over the last decade there has been an enormous increase in the availability and use of smartphones and smart devices... Many of these devices feature application stores 'app stores', which allow users to download additional applications and content. The vast majority of users, particularly on mobile platforms, download apps via these app stores,” says the NCSC  Report.

All app stores share a common threat profile with malware contained within apps the most prevalent risk. Additionally, prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.

While most people will be familiar with apps downloaded on to smartphones, devices from smart TVs to smart speakers now also have them. The UK Government is discussing new guidelines on security and privacy for apps and app stores. 

  • The British government survey found that Android phone users downloaded apps which contained the Triada and Escobar malware from various third-party app stores. "This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said. 
  • The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (Internet of Things) devices".

The NCSC report an example of a security company demonstrating how it can build a threatening app for a popular tracker from a fitness firm, that could be downloaded from a link using the company's web address to seem legitimate. The app contained "spyware/stalkerware capable of stealing everything from location and personal body data".

The NCSC report noted that the appetite for apps had grown during the pandemic, with the UK app market  worth £18.6bn ($23.2bn).

The NCSC reinforces the government proposals to ask app stores to commit to a new code of practice setting out minimum security and privacy requirements. "Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government said. 

A proposed code of practice would require stores to set up processes so that security flaws can be found and fixed more quickly. App stores for smartphones, games consoles, TVs and other smart devices could be required comply with a new code of practice setting out baseline security and privacy requirements. 

They would need to share more security and privacy information in an accessible way, including why an app needs access to a user’s contacts and location. 

NCSC:      Gov.UK:         BBC:       Silicon:      Computer Weekly:   

You Might Also Read: 

Mobile Cyber Attacks: The Different Facets Of Smartphone Malware:

 

« The Cyber Security Investment Boom Continues
Wanted: Access To Social Media Data »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DNV

DNV

DNV are the independent expert in assurance and risk management. We deliver world-renowned testing, certification and technical advisory services.

Cymulate

Cymulate

Cymulate is a SaaS-based breach and attack simulation platform that makes it simple to know and optimize your security posture any time, all the time.

Vysk Communications

Vysk Communications

Vysk is an award-winning mobile security firm that has developed the world’s most secure system for voice communication.

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

Cryptovision

Cryptovision

cv cryptovision GmbH is one of the leading specialists for modern, user-friendly cryptography and solutions for secure electronic identities.

Destel

Destel

Destel is a system integrator and provider of IT services focused on Advanced Network & Security Solutions.

Metro Systems

Metro Systems

Metro Systems offer fully integrated IT solutions & services covering Digital Transformation, Digital Infrastructure, Cyber Security and Training.

Featurespace

Featurespace

Featurespace is a world-leader in Adaptive Behavioural Analytics and creator of the ARIC™ platform for fraud and risk management.

certSIGN

certSIGN

certSIGN develop innovative software for information security and information systems protection.

Cycode

Cycode

Cycode is the industry’s first source code control, detection, and response platform.

DataNumen

DataNumen

The fundamental mission of DataNumen is to recover as much data from inadvertent data disasters as possible.

Redhorse

Redhorse

Redhorse provides top-tier consulting to help clients address mission-critical government problems in National Security, Networking Technology, Energy and the Environment.

Axiado

Axiado

Axiado Corporation is a security processor company redefining hardware root of trust with hardware-based security technologies, including per-system AI.

Deutsche Gesellschaft für Cybersicherheit (DGC)

Deutsche Gesellschaft für Cybersicherheit (DGC)

As a leading provider of cyber security, DGC supports companies in taking advantage of the opportunities offered by the digital transformation – and in minimizing the associated risks.

CFTS

CFTS

CFTS 'Computer Facilities Technical Services' is a Ugandan ICT Support Company that specialises in infrastructure and support services including network security.

ZILLIONe

ZILLIONe

ZILLIONe is one of Sri Lanka´s top enterprise technology solutions providers.