NCSC Warns Of Threats Posed By Malicious Apps

Millions of people install apps to manage smart devices, but UK’s NCSC warns of risk posed by fraudulent apps containing malware

GCHQ’s National Cyber Security Centre (NCSC) has issued a warning about the risk associated with the use of official and third party app stores.

In its report on Wednesday, NCSC pointed out that over the past decade there has been an enormous increase in the availability and use of smartphones and smart devices. But the rise of downloadable apps, some of which contain malware, has also increased the security risks for end-users.

It should be noted that the issue of rogue apps containing malware is not a new problem, after the government and campaign groups as far back as 2011 warned about the problem.

powerapps

Call for views

But nowadays any smart device and other tech items we have in the home or business, are usually accompanied by an app, sometimes hosted on a third-party app store, and not on official app stores from Apple or Google.

But even apps hosted on official apps stores can sometimes contain malware.

The NCSC is concerned “since there is a great variety of devices (and supporting app stores), there are a number of disparate and complex security issues that that can expose consumers and enterprises to online threats.”

The NCSC report summarises the risks associated with the use of official and third party app stores, and offers links to guidance on how to mitigate the main threats.

And in order to provide better protection for consumers, the British government is launching a call for views from the tech industry on enhanced security and privacy requirements for firms running app stores and developers making apps.

Code of practice

Under new proposals, app stores for smartphones, game consoles, TVs and other smart devices could be asked to commit to a new code of practice setting out baseline security and privacy requirements.

This would be the first such measure in the world.

The proposed code would require stores to have a vulnerability reporting process for each app so flaws can be found and fixed quicker. They would need to share more security and privacy information in an accessible way including why an app needs access to users’ contacts and location.

The NCSC report found all types of app stores face similar cyber threats and the most prominent problem is malware, which can steal data and money and mislead users.

For example, last year some Android phone users downloaded apps which contained the Triada and Escobar malware on various third-party app stores.

This resulted in cyber criminals remotely taking control of people’s phones and stealing their data and money by signing them up for premium subscription services without the individual’s knowledge.

The NCSC report concludes the government’s proposed code of practice will have a positive impact and reduce the chances of malicious apps reaching consumers across different devices.

“Our devices and the apps that make them useful are increasingly essential to people and businesses and app stores have a responsibility to protect users and maintain their trust,” noted NCSC Technical Director Ian Levy.

Dr Ian Levy, technical director of the NCSC. Image credit: NCSC

“Our threat report shows there is more for app stores to do, with cyber criminals currently using weaknesses in app stores on all types of connected devices to cause harm,” said Levy. ““I support the proposed Code of Practice, which demonstrates the UK’s continued intent to fix systemic cybersecurity issues.”

“Apps on our smartphones and tablets have improved our lives immensely – making it easier to bank and shop online and stay connected with friends,” said cyber security minister Julia Lopez.

“But no app should put our money and data at risk,” said Lopez. “That’s why the Government is taking action to ensure app stores and developers raise their security standards and better protect UK consumers in the digital age.”

Too little, too late

But some experts have suggested this call for views is too little too late.

It’s good to see NCSC calling for views on ‘rogue apps’ and cracking down on app stores as these threats are endemic, but it could be too little too late,” noted Armen Najarian, chief identity officer at fraud prevention specialist, Outseer.

“Our latest fraud data shows that rogue apps make up 39 percent of all fraud globally, and attacks rose by 50 percent over Q3 2021,” said Najarian. “These convincing fakes have the ability to infect hundreds of thousands of consumers, costing them billions of pounds per year, and companies their reputations. The horse has already bolted.”

“Hopefully this call for views will result in new laws being passed, but it’s likely to be a slow process,” said Najarian. “Until that happens the best defence for consumers is education.”

“There are tell-tale signs of rogue apps, such as poor spelling and grammar or very few user reviews on app stores,” advised Najarian. “For companies, they must deploy brand monitoring, giving them 24/7 scanning capabilities across app stores, social media and URLs, coupled with rapid take down services that can stop rogue apps in their tracks.”