Some Apps Come Loaded With Malware

The British government conducted a review into the app store ecosystem from December 2020 to March 2022 which found that malicious and poorly developed apps continue to be accessible to users - clear evidence that some developers are not following best practice when creating apps. 

Now, a new UK Report by the National Cyber Security Centre (NCSC) has warned of the threats posed by malicious apps and is asking the IT sector to address the security problems in app stores used by millions of customers.

“Over the last decade there has been an enormous increase in the availability and use of smartphones and smart devices... Many of these devices feature application stores 'app stores', which allow users to download additional applications and content. The vast majority of users, particularly on mobile platforms, download apps via these app stores,” says the NCSC  Report.

All app stores share a common threat profile with malware contained within apps the most prevalent risk. Additionally, prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.

While most people will be familiar with apps downloaded on to smartphones, devices from smart TVs to smart speakers now also have them. The UK Government is discussing new guidelines on security and privacy for apps and app stores. 

  • The British government survey found that Android phone users downloaded apps which contained the Triada and Escobar malware from various third-party app stores. "This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said. 
  • The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (Internet of Things) devices".

The NCSC report an example of a security company demonstrating how it can build a threatening app for a popular tracker from a fitness firm, that could be downloaded from a link using the company's web address to seem legitimate. The app contained "spyware/stalkerware capable of stealing everything from location and personal body data".

The NCSC report noted that the appetite for apps had grown during the pandemic, with the UK app market  worth £18.6bn ($23.2bn).

The NCSC reinforces the government proposals to ask app stores to commit to a new code of practice setting out minimum security and privacy requirements. "Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government said. 

A proposed code of practice would require stores to set up processes so that security flaws can be found and fixed more quickly. App stores for smartphones, games consoles, TVs and other smart devices could be required comply with a new code of practice setting out baseline security and privacy requirements. 

They would need to share more security and privacy information in an accessible way, including why an app needs access to a user’s contacts and location. 

NCSC:      Gov.UK:         BBC:       Silicon:      Computer Weekly:   

You Might Also Read: 

Mobile Cyber Attacks: The Different Facets Of Smartphone Malware:

 

« The Cyber Security Investment Boom Continues
Wanted: Access To Social Media Data »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Verimuchme

Verimuchme

Verimuchme is a digital wallet and exchange platform to secure, verify and re-use personal information.

Aeriandi

Aeriandi

Aeriandi is a leading provider of hosted PCI security compliance solutions for call centres, trusted by high street banks and major Telcos.

DNV

DNV

DNV are the independent expert in assurance and risk management. We deliver world-renowned testing, certification and technical advisory services.

Havelsan

Havelsan

HAVELSAN is a leading technology company in Turkey developing indigenous systems for domestic and foreign military, public and private sector clients.

National Cyber Security Center (NCSC) - Hungary

National Cyber Security Center (NCSC) - Hungary

The National Cyber Security Center was established in 2015 by uniting the GovCERT-Hungary, National Electronic Information Security Authority (NEISA) and the Cyber Defence Management Authority (CDMA).

Sencode Cyber Security

Sencode Cyber Security

Sencode provides a range of IT security solutions and services, including penetration testing and cyber awareness training to help mitigate the growing risks to your corporate infrastructure.

NSI Global

NSI Global

NSI Global is a specialist Global Risk and Intelligence Advisory Firm that has built a reputation for consistently managing complex projects.

AirDroid Business

AirDroid Business

AirDroid Business is an efficient mobile device management solution for Android devices, helping businesses to remotely control and access devices in large quantities using a centralized approach.

LogicMonitor

LogicMonitor

LogicMonitor provides SaaS-based IT infrastructure monitoring services for on-premises and multi-cloud environments.

ZILLIONe

ZILLIONe

ZILLIONe is one of Sri Lanka´s top enterprise technology solutions providers.

Millennium Corporation

Millennium Corporation

For nearly two decades, Millennium Corporation has been operating on the leading edge of cybersecurity.

Praxis Security Labs

Praxis Security Labs

Praxis Security Labs is a research driven cybersecurity company that helps our customers to reduce risk and improve security.

Twilio

Twilio

Twilio are the customer layer for the internet, powering the most engaging interactions companies build for their customers. We provide simple tools that solve hard problems.

Forensic IT

Forensic IT

Forensic IT is a specialised cyber security firm with expertise in Digital Forensics and Incident Response (DFIR).

Assurestor

Assurestor

Assurestor's singular focus is delivering leading cloud-based backup and disaster recovery designed to increase levels of IT resilience.

Auria

Auria

Auria advances complex space, missile, and cyber operations with visionary solutions and software.