Alexa and Google Assistant Susceptible to Social Engineering Apps

A recent white hat test performed by Germany’s Security Research Labs (SRLabs) demonstrated the abysmal security that these voice-operated systems currently display. The analysis utilized a pair of malicious apps that were designed to collect user information, either through phishing or eavesdropping. Hidden inside seemingly ordinary programs for a random number generator and a horoscope app, the malware made their way onto the app stores for both devices.

Glaring Problems in Security

The eavesdropping apps functioned well within the test environment. However, because of the way that the apps were programmed, they would offer the user an audio confirmation of the app closing, yet it keeps running and listening in the background. The recorded data can then be sent to a remote location to be processed individually. The scariest part is that most users wouldn’t even give a second thought to checking if the application was still running on the device.

The phishing app is a bit more insidious. After the user attempts to run the application, he or she receives an error message with an audio confirmation that the application has stopped running. It then sits in the background of the device for a few moments before claiming that an update for the device is available. To get the update, the app states, the user must let the phishing app collect the user’s password for their user account on the device. While most seasoned users of digital devices may become wary at the request for a password, other regular users may think it’s necessary. The result would be the disclosure of personal information to the malicious app.

Different Levels of Monitoring

On the Alexa app, SRLabs noted that when the app gave the close confirmation, it needed a trigger word to resume monitoring. The developers got around this hurdle by using a generic word like “I” to prompt the device into action. For Google Home devices, no trigger words were necessary, and the app could continue to eavesdrop and record indefinitely. The most disturbing part about the entire affair is that all of the apps used by SRLabs managed to make it onto the store pages for both devices and were only removed by SRLabs themselves after completing their research.