• ORNA

UK Government Combats Malicious Apps With New Security Proposals

Over a decade ago, apps were commonly referred to as “programs.” In those days before smartphones became mainstream, the PC was the center for information and interaction on the cyber frontier.


I had a flip phone back then in the 2000s. I used my computer at home or busted out my laptop at work. For those of us who didn’t have GPS, we printed out MapQuest directions. Oh, how the times have changed! This is why I feel so old.


Because the number of smart devices people now use has multiplied exponentially, so also have the potential threat vectors. Since the attack surface has widely increased, malware and other mobile phone attacks are now commonplace.


Smart devices are our go-to for every little thing. From smartwatches to TVs, and IoT devices in our homes, the list of smart devices most people use daily is pretty extensive. Trust and believe that threat actors are aching to plant their malware on your devices. That’s because smartphones serve as the total nexus of everything, which connects us to every service we use.


According to cybersecurity researchers at Proofpoint, they noticed an aggressive 500% rise in attempted mobile malware attacks at the start of the year. Last year, data reported from Kaspersky detailed the detection of almost 3,464,756 malicious files. This included 97,661 mobile banking trojans and 17,372 mobile ransomware trojans.


As mobile malware shows no sign of resistance, the UK National Cyber Security Centre (NCSC), an organization of the UK government, has made a move to address their concerns and assess the risks of the malicious mobile apps epidemic.


UK Government, Lawmakers, and Malicious Mobile Apps


A report published by the NCSC demonstrated that malware still finds its way onto devices, by managing to slip past the vetting process required by an official app store. The purpose of the vetting and reviewing process is so that operators can examine the apps to look for malicious activities.


Regardless of this security checkpoint, malware still can, and does, find opportunities to infect users. Because mobile phone users are the majority, app stores are provably a popular target for threat actors.


Imagine a popular app that functions as promised, but harbors silently malicious operations under the radar. Such an app could yield insurmountable benefits to the malicious operator behind the app. Think malware in disguise as a cryptocurrency wallet, and the amount of damage leaves nothing to the imagination.


“[M]alicious and poorly developed apps continue to be accessible to users, therefore it is evident that some developers are not following best practice when creating apps,” the NCSC claims in the report, and adds:


“Additionally, prominent app store operators are not adequately signposting app requirements to developers and providing detailed feedback if an app or update is rejected.”

Furthermore, the report explained that fraudulent apps are putting users’ data and money at risk and not only due to the efforts of cybercriminals, but also poorly developed apps, which exist with exploitable weaknesses that hackers probe for.


UK Government Calls to Action


The findings published in the report are substantial, and take careful consideration of the susceptibility of the variety of app stores to malicious apps. This includes IoT voice assistant and smart device stores, the usage of third-party app stores, as well as gaming stores for console and PC platforms.


Following the discoveries released by the government, they sought the perspective of the tech industry, with the aim to look for solutions for enhanced security and privacy requirements regarding firms operating app stores and for app developers.


Under the new proposals, app stores for all smart devices and gaming consoles may need to submit to new security and privacy practices. According to the NCSC, this “would be the first such measure in the world.”


“These types of initiatives raise crucial awareness of the security issues that we currently face and provide a healthy and necessary debate on the subject,” said Filip Verloy, technical evangelist at Noname Security. “This should prove useful even if it only accomplishes just that.”


Additionally, he commented that the proposed measures aren’t without flaws of their own. Namely, he explained that Apple has already made it a point of discernment to make privacy and security its top priority and to perform exhaustive moderation in their app stores, compared to their competitors.


“Secondly, there is no such thing as 100% certainty about security when it comes to software, though laying out best practices and increasing scrutiny will certainly help weed out the worst offenders,” he added.

Awareness Is Vital


Since I became a smartphone user, I have crossed paths with an exorbitant amount of malware and security risks, often which could have been avoided with a little prudence. One of the primary security concerns I’ve encountered is the necessary after-market anti-virus protection apps available for most devices.


The problem isn’t the apps, but that the apps are only installed if the user ever decides they need one, as opposed to the devices that were built to be secure. Another critical issue is the many games that promise big payouts but instead harvest sensitive user data or infect the device.


For smartphone users who have a tendency to download reams of games or other apps, it is important to check the app rating and examine the reviews. However, customer reviews can sometimes be misleading, which is why it is important to search the web for additional opinions regarding an app you might be dubious about.


Perhaps, better security and privacy practices will be proposed on a grander scale in other places of the world, or by tech industrialists in general, to help minimize the impact of malicious apps and the developers behind them.


An article by

Jesse McGraw


Edited by

Ana Alexandre



17 views
Screen Shot 2022-06-13 at 4.57.16 PM.png

Detect, respond, prevent and SOAR with ORNA

Subscribe

Weekly cyber insights

Thanks for submitting!