Google Assistant May Support Malware That Steal Users' Passwords

Now we have more Google Assistant apps than anyone can ever use, so slipping some malware to the mix is not that hard to execute.

In an experiment, a research lab succeeded developing apps for Alexa, and Google Assistant with the primary purpose is to phish for users’ information. The lab in question is Germany’s Security Research Labs and they have created a total of eight apps, all of which have passed the security screening of Google and Alexa.

The apps are horoscope checkers. While they may work a bit different from the other, all of them have the same underlying principle. What they really do is to listen and steal users’ passwords.

So here is how they work. The user may ask for something like:

“OK Google, ask My Lucky Horoscope to give me the horoscope for Taurus.”

After giving the user what he or she wants, the app will play the sound that Google uses when a third-party app has been closed to give the impression that the app is no longer running. After the sound is played, the app will record for the next 30 seconds and send all the recordings to a server.

The video down below shows another example of an app mimicking the voice of Google Assistant to fool users that it has been closed. It will wait for a minute and then mimic the voice again to steal users’ passwords for their Google accounts.

The second way of attack is easier to detect than the first one. The apps the researchers in this experiment have been removed but they show that Google and Amazon need to be more careful not letting malicious apps slipping through their defense like that.