At least eight eavesdropping apps have slipped past Google and Amazon's app verification process and made their way into their respective app stores, ready to be downloaded onto the smart speakers of unsuspecting victims.
As Ars Technica (opens in new tab) reports, researchers at hacking collective Security Research Labs (opens in new tab) (SRLabs) built four Google Home actions and four Alexa skills, which looked like innocuous tools for checking horoscopes and generating random numbers, but were also capable of phishing for passwords and monitoring users' conversations.
- These are the best free apps for Android
- We've also collected the best free apps for iPhone
- And here are the best free apps for iPad
All of these apps passed through Google and Amazon's security checks, and were published for others to download.
When a user asked to know their horoscope, the eavesdropping apps provided the information as expected. They then seemed to stop running, but actually remained active and listening in the background. Conversations were logged and sent to a remote server.
When a victim attempted to use one of the phishing apps, they would receive an error message informing them that the app was unavailable in their country. The app would again remain running, and after a short break would use a voice similar to that used by Alexa or Google Home to inform the user that an update was available, and ask for their password.
Researchers at Sophos recently identified several apps in the Google Play Store that used a similar trick – throwing up up fake error messages while continuing to run in the background and perform malicious operations – but users are even less likely to expect such malware on their smart speakers.
Play it safe
SRLabs reported its findings to Amazon and Google, both of which removed the apps from their respective stores and promised they would tighten their appraisal processes in the future to make sure genuinely malicious software isn't able to slip through the same way.
For the time being, you're well advised to follow the Sophos team's advice on installing new apps: always read reviews, and sort them so you see the most recent ones first (the malicious element might have been added with a recent update). Filter out any five-star reviews with no written text, as these are likely to be fake, and look closely at the remainder.
If several reviewers complain about the app causing problems or not behaving as expected, you'd be better off avoiding it.