German researchers uploaded proof of concept apps for both Amazon Skills and Google Play Store which were allowed to pass QA. The researchers created a phony Horoscope app that used some novel coding techniques to trick both Alexa and Google Home and turned them into social engineering and phishing tools. According to Ars Technica," Whitehat hackers at Germany’s Security Research Labs developed eight apps—four Alexa “skills” and four Google Home “actions”—that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these “smart spies,” as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords."
“It was always clear that those voice assistants have privacy implications—with Google and Amazon receiving your speech, and this possibly being triggered on accident sometimes,” Fabian Bräunlein, senior security consultant at SRLabs, told me. “We now show that not only the manufacturers but… also hackers can abuse those voice assistants to intrude on someone’s privacy.”
The researchers were able to demonstrate social engineering and phishing techniques by embedding some code that put Alexa and Google in silent mode while still recording. During the silent period, the conversation was recorded, transcribed and sent back to attacker/publisher. They also inserted a realistic assistant voice that phishes the users by saying a new update is available for their device but they need to say their password. They could have asked for a credit card or other information. Both Google and Amazon removed the rogue apps after they were informed by the researchers. Both platforms say they have now addressed the vulnerability. It’s highly possible that some users could be fooled into providing passwords or private information given that the instructions were coming through a trusted venue like Alexa and Google.