Google Assistant May Support Malware That Steal Users' Passwords
Aadhya Khatri
In an experiment, a research lab succeeded developing apps for Alexa and Google Assistant with the main purpose is to phish for users’ information
- Google Assistant Now Makes It Irresistible To Wear Face A Mask
- Here's How To Get A Makeshift Podcast From Any Text-Based Story
- How To Curb Your Roommate's Laziness: Google Assistant's 'Sticky Notes'
Now we have more Google Assistant apps than anyone can ever use, so slipping some malware to the mix is not that hard to execute.
In an experiment, a research lab succeeded developing apps for Alexa, and Google Assistant with the primary purpose is to phish for users’ information. The lab in question is Germany’s Security Research Labs and they have created a total of eight apps, all of which have passed the security screening of Google and Alexa.
The apps are horoscope checkers. While they may work a bit different from the other, all of them have the same underlying principle. What they really do is to listen and steal users’ passwords.
So here is how they work. The user may ask for something like:
“OK Google, ask My Lucky Horoscope to give me the horoscope for Taurus.”
After giving the user what he or she wants, the app will play the sound that Google uses when a third-party app has been closed to give the impression that the app is no longer running. After the sound is played, the app will record for the next 30 seconds and send all the recordings to a server.
The video down below shows another example of an app mimicking the voice of Google Assistant to fool users that it has been closed. It will wait for a minute and then mimic the voice again to steal users’ passwords for their Google accounts.
The second way of attack is easier to detect than the first one. The apps the researchers in this experiment have been removed but they show that Google and Amazon need to be more careful not letting malicious apps slipping through their defense like that.