Alexa and Google Home abused to eavesdrop and phish passwords
Threat actors can use malicious applications in order to eavesdrop on Amazon Alexa and Google Home users, researchers with Security Research Labs have discovered. Rogue applications can also be used to carry out phishing attacks targeting owners of one of these voice assistants.
The two attacks developed by the researchers both follow the same pattern. In the first stage, the researchers developed a benign app and got it approved by Amazon or Google. Once the app passed all security checks, they made changes to it. While these modifications turned the apps into malicious tools. they did not prompt a new security review. The malicious apps deceived users by making them think they were no longer running. The phishing app would respond with a fake error message upon activation by the user. It would then run silently for a certain amount of time, before informing the user of an available update and asking them to provide their password in order to install the fake update. The password would be recorded by the app. The eavesdropping app was disguised as a horoscope. It was designed to answer user’s questions while secretly recording them. Once it was activated, it would keep running without the victim’s knowledge.