One thing you’ll probably never hear an Amazon Echo Dot user say is, "Alexa, steal my personal data."
But where there’s a will, there’s a way, and nefarious scammers found a way to slink past Apple’s review process and slip in a new app that scammed Alexa users out of personal data on their devices and home WiFi networks.
According to 9to5Mac, "Setup for Amazon Alexa" zoomed up Apple’s app charts, hitting #6 in the Utilities category and scoring an impressive 9,000 ratings before the app police at Apple yanked it from the App Store. And with Amazon Dot being one of the hot holiday gifts this season, it’s a safe bet that 9,000 number barely scratches the surface of those who took the bait.
However, so far, neither Apple nor Amazon has taken action short of Apple removing the malicious entry from its App Store, and only one member of the Apple support community and a handful of Reddit subscribers had raised a flag about the issue.
The dirty deed
The app’s modus operandi is to ask the end-user for their current internet protocol (IP) address, as well as the serial number of the device and the username associated with the device.
Once it gets that in its grubby little hands, it’s free to wander about the user’s data pool and apparently pilfer whatever data the app’s masterminds want.
The masterminds? 9to5Mac reports that all signs point to "One World Software", a company that reportedly has two other suspicious apps. One is "Buy/Sell," which mimics Facebook’s color scheme, and another is called "Any Font for Instagram."
Fake apps have been a hot topic the past few holidays, but there are some red flags that consumers can look out for to detect if an app they’re downloading is a scam. Look for grammatical or spelling errors, and be wary of any app that has no reviews or no history of previous versions. In a situation like this with an Amazon-created product, it’s safer to stay away from any apps that aren’t created by Amazon itself.