White-hat hackers from Germany’s Security Research Labs have developed apps that can be used to eavesdrop on users and phish for their passwords, ArsTechnica reports.
The team reportedly developed four Alexa apps and four Google Home apps which all passed the relevant security tests implemented by Amazon and Google respectively.
These apps pretend to be simple, non-malicious apps – such as horoscope checkers and random number generators.
The apps listen to the user’s question, and upon answering it – either with an appropriate answer or with an error message – they go quiet, appearing to have stopped listening.
However, this is not the case, as the app instead continues eavesdropping on the user’s conversations and sends them to a server designated by the app designers.
In the case of the phishing apps, they go quiet for about a minute before also using a voice that mimics the Alexa or Google assistant, claiming that a device update is available, and asking the user for their password to confirm installation.
“It was always clear that those voice assistants have privacy implications – with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes,” said Fabian Bräunlein, senior security consultant at SRLabs.
“We now show that, not only the manufacturers, but… also hackers can abuse those voice assistants to intrude on someone’s privacy.”