Fake Amazon Alexa App Caught Stealing User Names, IPs, Device Serial Numbers

Amazon’s Echo has been one of the most popular IoT purchases in recent years, giving users unprecedented convenience but also an occasional scare. The latest negative press surrounding Amazon’s assistant involves a scam app that somehow made it into Apple’s walled garden to steal user data.

Echo comes in two variants, a small one and a big one. Both are powered by Amazon vocal-activated assistant, Alexa.

As reported by 9to5mac, a fake Amazon Alexa setup app was able to quickly climb the iOS App Store charts in what was likely a surge in demand for Echo activations following the Christmas gifting bonanza. Developed and sold by a company called One World Software, “Setup for Amazon Alexa” was designed to trick users into handing over their IP address alongside the device serial number and a name.

When the negative reviews started trickling in, including some on reddit, Amazon contacted Apple and had the software removed. And as 9to5 notes, the developer in question sells several other shady apps in Apple’s App Store: “Marketplace – Buy/Sell,” and “Any Font for Instagram.”

Alexa has been the subject of quite a bit of controversy lately. The most recent incident was reported just over a week ago, when Amazon mistakenly sent a couple’s archived Alexa recordings to a complete stranger. And around two months ago, a judge ruled that Amazon was to release Echo audio files linked to a murder case.

Echo’s always-on nature makes it a creepy device for some. But this fake app is not Amazon’s fault. Instead, it is the folks at Apple who need to revamp their App Store approval process and keep this kind of fishy software out of their venue.