top of page

National Cyber Security Centre chiefs warn of malicious app risk

A new report by the UK's National Cyber Security Centre (NCSC) has warned of the threats posed by malicious apps.

While most people will be familiar with apps downloaded on to smartphones, devices from smart TVs to smart speakers now also have them.

The government is consulting on new guidelines on security and privacy for apps and app stores.

The NCSC's technical director, Ian Levy, said there was "more for app stores to do" on security.

Mr Levy added that cyber-criminals were "currently using weaknesses in app stores on all types of connected devices to cause harm".

Last year, the government noted, Android phone users downloaded apps which contained the Triada and Escobar malware from various third-party app stores.

"This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said.

The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (internet of things) devices".

It includes an example of a security company demonstrating how it could create a malicious app for a popular tracker from a fitness firm, that could be downloaded from a link using the company's web address to seem legitimate.

The app contained "spyware/stalkerware capable of stealing everything from location and personal body data". The company moved to fix the problem after the security firm alerted it.

The NCSC report noted that the appetite for apps had grown during the pandemic, with the UK app market now worth £18.6bn ($23.2bn).

The cyber-security centre supports the government's proposals to ask app stores to commit to a new code of practice setting out minimum security and privacy requirements.

"Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government said.

A proposed code of practice would require stores to set up processes so that security flaws can be found and fixed more quickly.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page