Alexa and Google Home abused to eavesdrop and phish passwords
Found on Ars Technica on Tuesday, 22 October 2019
The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these "smart spies," as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords.
The phishing apps follow a slightly different path by responding with an error message that claims the skill or action isn't available in that user's country. They then go silent to give the impression the app is no longer running. After about a minute, the apps use a voice that mimics the ones used by Alexa and Google home to falsely claim a device update is available and prompts the user for a password for it to be installed.
It was only a matter of time. If you think it's a smart idea to place a microphone in your house where random developers around the globe can write applications for, you might want to reconsider your stance.