Phishing for passwords with Amazon Alexa & Google Home

Security researchers successfully develop phishing apps to phishd passwords, using Amazon Alexa and Google Home.


  • Security researchers successfully built phishing apps for Alexa & Google Home
  • The phishing apps pretend to have closed, but secretly stay listening
  • The apps successfully got through Amazon & Google security vetting
  • Can be used to phish for passwords, and other sensitive data
  • Great opportunity for security professionals to provide relevant, targeted education to end-users

Full story

More concerning news for those using Amazon Alexa and Google Home has been published by Arstechnica - with whitehat hackers at Germany's security labs successfully developing phishing apps for both Alexa and Google home. These phishing apps successfully made it through Amazon and Google's security vetting process, Dan Goodin of Arstechnica explains:

"By now, the privacy threats posed by Amazon Alexa and Google Home are common knowledge. Workers for both companies routinely listen to audio of users—recordings of which can be kept forever—and the sounds the devices capture can be used in criminal trials.

Now, there's a new concern: malicious apps developed by third parties and hosted by Amazon or Google. The threat isn't just theoretical. Whitehat hackers at Germany's Security Research Labs developed eight apps—four Alexa "skills" and four Google Home "actions"—that all passed Amazon or Google security-vetting processes. The skills or actions posed as simple apps for checking horoscopes, with the exception of one, which masqueraded as a random-number generator. Behind the scenes, these "smart spies," as the researchers call them, surreptitiously eavesdropped on users and phished for their passwords."

The news is likely to present a concern to both home users and organisations; and will no doubt fuel the conversation around the privacy implications of smart device security and whether they should be disclosed to visitors. It will also likely raise questions around the security vetting processes used by Amazon, Google and Apple - specifically how more can be done to ensure users of their products are protected from malicious third-party apps.

As security professionals, what can we do?

As ever, raising security awareness of the risks of smart devices is critical; enabling people to make more informed security decisions, both at work and at home. At CultureAI, we recommend clients identify employees that use these products at home and use this insight to provide targeted, highly-relevant and effective security education without the risk of over-training employees that don't use them. If you don't have an easy way to do this; give the CultureAI platform a shot for free below, or use the link to talk to one of our cyber security culture experts who will be happy to help.

For those already using CultureAI; your employees will already have this alert in their cyber security centre and be able to access professional security advice if they have one of these devices.

Want to measure human risk across your organisation & transform the security decisions your employees make?

Try CultureAI free. Within 30 days your employees will each have a security score allowing you to find the riskiest employees and departments, whilst automated nudges and personalised education will help transform their security decisions.

No committment. Cancel anytime.
About this post
Published 22nd October 2019
Last Updated 22nd October 2019
Written for Small Businesses
Medium Businesses
Security Awareness Professionals
Cyber Security Professionals
The author
James Moore, CultureAI
James Moore
CEO and founder, CultureAI
James is a cyber security expert & GCHQ approved security awareness trainer. He's worked with many of the worlds leading organisations to signficantly improve employee security behaviour and transform cyber security culture. He believes in using technology to support & empower employees to behave securely, at both work and home.
Trusted by

Improve your workforces' security decisions

Start benchmarking and improving your human risk today, free for 30 days