These apps can turn your smart speaker into a spying device

22 Oct 2019

Image: © rcfootstock/

Your Amazon Alexa or Google Home could be converted into a voice-phishing and eavesdropping device, according to Security Research Labs.

Smart speakers have increased sharply in popularity in recent years, evolving from something reserved for the most gadget-happy among us to a staple in the family home.

However, the devices have raised concerns within the security community due to frequent reports of the various ways hackers can exploit them, compromising the privacy of users in the process.

The latest report from Berlin-based cybersecurity firm Security Research Labs is sure to further fan those flames of doubt, as it demonstrates that hacker could possibly use the devices to phish for sensitive information and eavesdrop on its users.

Smart speakers such as Google Home and Amazon Alexa allow users to use voice commands to do basic tasks and search for relevant information. However, users can extend the speaker’s capability by installing apps created by third-party developers. These apps, the research team maintains, can create privacy issues.

Proof-of-concept development

The research team used standard development interfaces to create apps that were able to collect personal data, including user passwords, and even eavesdrop on users after they believed that the smart speaker had stopped listening.

The team used various features built into the smart speakers to create what it terms the “smart spies” hack, recording videos of staff using a speaker containing the malicious applications and showing how these apps can be used by attackers.

For the Google Home device, for example, it showed that the hack can be used to “monitor the user’s conversations indefinitely” by putting the user in a loop where they are constantly sending recognised speech to the hacker’s server.

Alexa speakers didn’t demonstrate the same eavesdropping capability, but could be reworked to keep listening to users for several seconds after the user would assume the device had stopped listening.

Any app, the researchers continued, can be used to send voice phishing messages to the user, saying things such as: “An important security update is available for your device. Please say start update followed by your password.”

“To prevent ‘smart spies’ attacks, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party skills and actions made available in their voice app stores,” the report concluded.

It noted that both companies were alerted to the vulnerabilities. Amazon and Google both subsequently blocked the malicious apps from their respective stores.

Eva Short was a journalist at Silicon Republic