German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; all their apps were successfully smuggled past the companies app store security checks.
The basic workflow is this: the app is invoked by a voice command ("Give me my horoscope"), then appears to terminate, by playing a null character (U+D801), which is played as silence. After a long interval, the speaker then spoke in a voice that terminated the speaker's OS, with a fake error message asking for a password to allow for a security update.
The researchers reported their findings to Google and Amazon and withdrew their apps from the manufacturers' app stores, both companies say they are putting new policies in place to prevent similar future attacks.
All of the malicious apps used common building blocks to mask their malicious behaviors. The first was exploiting a flaw in both Alexa and Google Home when their text-to-speech engines received instructions to speak the character "�." (U+D801, dot, space). The unpronounceable sequence caused both devices to remain silent even while the apps were still running. The silence gave the impression the apps had terminated, even when they remained running.The apps used other tricks to deceive users. In the parlance of voice apps, "Hey Alexa" and "OK Google" are known as "wake" words that activate the devices; "My Lucky Horoscope" is an "invocation" phrase used to start a particular skill or action; "give me the horoscope" is an "intent" that tells the app which function to call; and "taurus" is a "slot" value that acts like a variable. After the apps received initial approval, the SRLabs developers manipulated intents such as "stop" and "start" to give them new functions that caused the apps to listen and log conversations.
Alexa and Google Home abused to eavesdrop and phish passwords [Dan Goodin/Ars Technica]