Amazon & Google Accidentally Approved Apps that Spy on Users Via Home Speakers
Malicious code disguised as regular apps.
Research has revealed that some third party apps for Amazon Alexa and Google Home can be used to secretly eavesdrop on users, obtaining personal information about them. According to Ars Technica, researchers from German firm Security Research Labs created eight different Skills for Amazon Alexa and Actions for Google Home, all of which appear to be normal but have been confirmed as malicious.
Disguised as regular apps like horoscope readers and random number generators, the Skills and Actions hack home speakers to collect personal data like passwords, as well as spy on users even after they think the speaker is finished listening. The apps give a fake error message to give the impression that they have ended their sessions, however they actually continue listening while taking down a transcript of everything the user says. Soon after, the apps mimic the Voices of Amazon Alexa and Google Home to offer users a false update, prompting them to provide their password for it to be installed.
All of the malicious apps were approved by Amazon and Google, but they were removed once SRLabs privately shared its findings with both companies. As a result, Amazon and Google state that they are revising their app reviewal process to prevent similar cases from happening in the future.
“The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood,” SRLabs said in a recent statement, according to Engadget. “Users need to be more aware of the potential of malicious voice apps that abuse their smart speakers. Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone.”
Watch the malicious apps in action via the clip below.
Meanwhile, Amazon is continuing to dabble in user experience programs, rolling out a new “Watch Party” feature for Twitch.
