Most mobile app stores are still failing to adequately protect consumers against malicious downloads according to newly published research.

Security firm RiskIQ Inc. made the finding in its second-quarter mobile report, which analyzed 120 mobile app stores and 2 billion daily scanned resources, with most app stores scoring a fail grade when it comes to protection.

An app store by the name of AndroidAPKDescargar topped the list as providing the worst experience for consumers in relation to protection against malicious apps for the second quarter running. But most surprisingly, sitting in second place on the list was Google Play when it came to distributing bad apps. In third place was what RiskIQ describes as “feral apps,” apps downloaded directly from individual websites.

Trojans and adware were the top threats found in the report, but it wasn’t all bad news. Blacklisted app downloads fell 40 percent from the first quarter. This is believed to be due to an increased awareness of risks by consumers along with improved policing by app store providers.

“Mobile app security continues to be a challenge, even for the biggest brand names,” Mike Wyatt, director of product operations at RiskIQ said in a statement. “The size, complexity and dynamic nature of the global app store ecosystem mean that app developers and marketplace providers can never protect all users from cybercrime. However, they can do more to protect their customers, including version control, monitoring for abuse, employing verification techniques, and offering education.”

For consumers, the advice remains to practice safe Internet. RiskIQ Chief Executive Officer Lou Manousos told SiliconANGLE via email that there are simple things consumers can do to protect themselves against malicious apps. 

For one, users should beware of too many permission requests, especially extra permissions that go beyond what the app is promising to deliver. Despite Google Play coming in second place for the distribution of malicious apps, Manousos recommended that consumers are always safer downloading apps from official app stores, saying that “of course there are still security concerns with official stores such as the Apple App Store and Google Play, but many cyberthreat actors have moved away from official stores, focusing more on feral applications and secondary hosting providers.”

In an unexpected twist, Manousos added that consumer should not trust product ratings or download stats, saying that “just because an app appears to have a good reputation doesn’t make it so” and that “rave reviews can be forged, and a high number of downloads can simply indicate a threat actor was successful in fooling a lot of victims.” Consumers are advised to check out the name of the developer as well, and if “it’s not a brand you recognize or has a strange appearance or spelling, think twice.”

A full copy of the report can be obtained from the RiskIQ website.

Photo: 143601516@N03/Flickr