The Israel-based security software company, Checkmarx has recently found out that flaws in the personal voice assistant technology in several Android devices could have rendered them vulnerable to hackers and other security threats.
Researchers at Checkmarx demonstrated this security threat by developing a mock-up weather app that would ask access to the device’s voice assistant.
“The malicious app we designed for the demonstration was nothing more than a mockup weather app that could have been malicious by design. When the client starts the app, it essentially creates a persistent connection back to the [command and control] server and waits for commands and instructions from the attacker, who is operating the C&C server from anywhere in the world. Even closing the app does not terminate the persistent connection.” – They explained
Consequently, such technological holes could expose the user and the phone security to the invasion of privacy, such as keeping the user in the dark while taking their photos and videos and even tracking their location.
These flaws have mostly been found to exist in Google Assistant in Google Pixel smartphones and in Samsung’s Bixby and its Galaxy series, as per the research published by Checkmarx on Tuesday.
The company stated that these technological loopholes could have enabled hackers to misuse the tech and record two-way conversations, silence the shutter on a phone’s camera and collect GPS location based on a device’s Metadata, especially because voice assistants don’t need to ask for permission to capture media.
Fortunately, the security patch made available on Play Store by Google and Samsung is available since this July and it has protected these Android devices from such infiltration and misuse of information.
That security threat increases with the development of technology and had been proved previously when researchers found that they could intercept Wi-Fi usernames and passwords from customers who installed Amazon’s Ring doorbells on their homes. By and by, this creates new means for cybercriminals to abuse user data.