A new report from the UK’s National Cyber Security Center (NCSC) warned of the threats posed by malicious apps.
While most people are familiar with downloaded apps on smartphones, devices from smart TVs to smart speakers now have them too.
Government consults on new guidelines on the security and privacy of apps and app stores.
NCSC CTO Ian Levy said there was “more to do for app stores” when it comes to security.
Mr Levy added that cybercriminals are “currently using weaknesses in app stores on all types of connected devices to cause damage”.
Last year, the government noted, Android phone users downloaded apps containing Triada and Escobar malware from various third-party app stores.
“This has led to cybercriminals taking remote control of people’s phones and stealing their data and money by signing them up for premium subscription services,” he said.
The NCSC report noted that the apps “can also be installed on laptops, computers, game consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, speakers. smart speakers (such as Alexa devices) and IoT (Internet of Things) devices.
It includes an example of a security company demonstrating how they could create a malicious application for a popular tracker from a fitness company, which could be downloaded from a link using the company’s web address to appear legit.
The app contained “spyware/stalkerware capable of stealing everything from location and personal body data.” The company decided to fix the problem after the security company alerted it.
A new code
The NCSC report noted that the appetite for apps had increased during the pandemic, with the UK app market now worth £18.6 billion ($23.2 billion).
The Cybersecurity Center supports government proposals to require app stores to commit to a new code of practice setting out minimum security and privacy requirements.
“Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung,” the government said.
A proposed code of practice would require stores to put processes in place so that security vulnerabilities can be found and fixed more quickly.