Professional hackers managed to sneak fake horoscope apps past Amazon and Google that spied on people's conversations with Alexa and Google Assistant

Google Home Mini
  • Whitehat hackers have proven that it's possible to develop malicious apps hosted by Google Home or Amazon Alexa that spy on users' conversations and phish for personal information like passwords.
  • The eavesdropping apps, posing as astrology apps and random number generators, passed Amazon and Google security checks, meaning they could be downloaded onto any Alexa or Google Home-enabled device.
  • Whitehat hackers created and publicized the apps to demonstrate pitfalls in Amazon and Google security standards - the eavesdropping apps have not been used against unsuspecting users, and have since been removed by the developer.
  • Visit Business Insider's homepage for more stories.

Conversations with Google Home or Amazon Alexa have never been strictly confidential - both companies have admitted that they send some audio snippets to workers who listen to voice recordings to help improve the software. 

But a group of whitehat hackers have now demonstrated that third-party apps hosted by Google Home or Alexa can also log users' conversations, even after tricking users into thinking the apps aren't active.Advertisement

Developers at Germany's Security Research Labs created four Alexa "skills" and four Google Home "actions" that pose as astrology apps or random number generators but are designed to secretly listen to people's voice and send a transcript back to third-party servers. Certain versions of the app mimic Alexa or Google Assistant, pretending to offer a software update and asking users to input their password.

All eight of the apps passed Amazon or Google security checks, meaning they could have been made available for public download on either platform, according to the researchers. A Google spokesperson was not immediately available to respond to Business Insider's requests for comment.

"Customer trust is important to us, and we conduct security reviews as part of the skill certification process," an Amazon spokesperson told Business Insider. "We quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified. It's also important that customers know we provide automatic security updates for our devices, and will never ask them to share their password."

Here's how the apps work: First, they gave users the expected message - either a randomly generated number or a brief horoscope. Next, the apps go silent, giving users the impression that the software has closed, while still listening to conversations and sending a copy of transcripts to a third-party server.

The malicious apps can also impersonate Alexa or Google Home to ask users for sensitive information. As demonstrated in the videos below, the apps give the impression that the software has closed, then impersonate Alexa to prompt users to input their password to download a software update.The researchers have already taken the apps offline and said they have privately reported their findings to Google and Amazon. Advertisement

Exclusive FREE Slide Deck: 40 Big Tech Predictions for 2019 by Business Insider Intelligence