NCSC Warns of Malicious Apps on App Stores, Chief Supports New Consumer Regulations
The U.K’s National Cybersecurity Center (NCSC) report addressed the threat posed by malicious apps downloaded through official and third-party app stores.
The report warned that cybercriminals were exploiting “weaknesses in app stores on all types of connected devices to cause harm”.
It highlighted “fraudulent apps that contain malware” and “poorly developed apps” that cybercriminals can exploit.
The NCSC also criticized app store operators for not explaining app requirements to developers and providing insufficient feedback when rejecting an app or update.
Malicious apps are found in all app stores and target various device types
The study, conducted between December 2020 and March 2022, found that 87% of UK residents own smartphones. More than half (52%) of UK residents have also downloaded an app from the Google Play Store and 44% from Apple’s App Store.
While Android gets a bad rap for malicious apps on the Google Play Store, the NCSC warned that these vulnerabilities exist in various app stores and their competitors.
In addition, the NCSC noted that malicious apps can run on various devices other than smartphones, including laptops, computers, game consoles, and wearable devices such as smartwatches and fitness trackers. Other devices targeted by malicious apps include smart TVs, smart speakers such as Alexa devices, and IoT devices.
Despite the high prevalence of malware, the NCSC acknowledged that mobile app stores were “not fundamentally different” from other stores.
However, the sheer number of smartphones owned by consumers made mobile app stores attractive channels for the distribution of malicious apps.
The NCSC chiefs noted that the biggest problem plaguing app stores was malware capable of stealing users’ information and causing financial losses.
“All app stores share a common threat profile with malware contained within apps being the most prevalent risk,” said Cyber Security Secretary Julia Lopez.
For example, Android phone users downloaded apps infected with Triada and Escobar malware from third-party app stores. The malicious apps allowed cybercriminals to remotely take control of people’s devices, steal their data and enroll them in premium services.
According to the NCSC, the COVID-19 pandemic exacerbated the problem with the increased demand for apps.
NCSC chiefs back new UK privacy and security guidelines
NCSC technical director Ian Levy noted that app stores could do more to protect their users from malicious apps spreading through their stores.
He backed a government proposal that would require app stores and developers to commit to a new code of practice that sets minimum security and privacy requirements.
The proposal will affect tech giants such as Amazon, Apple, Google, Huawei, Microsoft, Samsung and others who distribute apps in the UK.
The proposal requires a vulnerability reporting process for every app available in app stores aimed at UK citizens. The process will speed up vulnerability discovery and remediation.
Similarly, app stores and developers must provide a descriptive and accessible explanation of apps’ privacy and security information.
For example, they should explain why an app needs permission to access users’ contacts or locations.
“I support the proposed practice, which demonstrates the UK’s continued intention to fix systemic cyber security issues,” Levy said.
He also stressed the need for app stores to “protect users and maintain their trust.”
The cyber security minister said apps do not unnecessarily put users’ finances at risk.
“That’s why the government is taking action to ensure app stores and developers raise their security standards and better protect UK consumers in the digital age,” Lopez said.
While these suggestions are unlikely to guarantee 100% safe app stores, they will reduce the number of malicious apps sneaking onto app distribution sites.