The U.K’s National Cybersecurity Centre (NCSC) report addressed the threat posed by malicious apps downloaded through official and third-party app stores.
The report warned that cybercriminals exploited “weaknesses in app stores on all types of connected devices to cause harm.”
It highlighted “fraudulent apps containing malicious malware” and “poorly developed apps” that cybercriminals could exploit.
The NCSC also criticized app store operators for failing to explain app requirements to developers and giving inadequate feedback when they reject an app or update.
Malicious apps exist on all app stores and target various device types
The study conducted between December 2020 and March 2022 found that 87% of UK residents own smartphones. More than half (52%) of U.K. residents have also downloaded an app from the Google Play store and 44% from Apple’s App Store.
While Android gets a bad rap for malicious apps on Google Play Store, NCSC warned that these vulnerabilities exist in various app stores and their competitors.
Additionally, NCSC noted that malicious apps could run on various devices apart from smartphones, including laptops, computers, games consoles, and wearables such as smartwatches and fitness trackers. Other devices targeted by malicious apps include smart TVs, smart speakers such as Alexa devices, and IoT devices.
Despite the high malware prevalence, the NCSC acknowledged that mobile app stores were “not fundamentally different” from other stores.
However, the sheer number of smartphones owned by consumers made mobile app stores attractive channels for distributing malicious apps.
The NCSC heads noted that the biggest problem plaguing app stores was malware capable of stealing users’ information and causing financial losses.
“All app stores share a common threat profile with malware contained within apps the most prevalent risk,” cyber security minister Julia Lopez said.
For example, Android phone users downloaded apps infected with Triada and Escobar malware from third-party app stores. The malicious apps led to cyber-criminals remotely taking control of people’s devices, stealing their data, and enrolling them in premium services.
According to the NCSC, the COVID-19 pandemic exacerbated the problem with the increased demand for apps.
NCSC chiefs back new U.K. privacy and security guidelines
NCSC technical director Ian Levy noted that app stores could do more to protect their users from malicious apps spreading through their stores.
He supported a government proposal requiring app stores and developers to commit to a new code of practice setting minimum security and privacy requirements.
The proposal would affect tech giants such as Amazon, Apple, Google, Huawei, Microsoft, Samsung, and others distributing apps in the UK.
The proposal requires a vulnerability reporting process for every app available on app stores targeting U.K. citizens. The process would hasten vulnerability discovery and remediation.
Similarly, app stores and developers must provide a descriptive and accessible explanation of apps’ privacy and security information.
For example, they should explain why an app needs permission to access users’ contacts or locations.
“I support the proposed code of practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues,” Levy said.
He also underscored the need for app stores to “protect users and maintain their trust.”
The cyber security minister said apps should not unnecessarily put users’ finances at risk.