“Hey Google, Remind me to be Phished” Exploiting the Notifications of the Google (AI) Assistant on Android for Social Engineering Attacks

Abstract. We showcase how to maliciously exploit a functionality of the Google ecosystem (specifically, of Android) by elucidating how the notifications generated by the Google Assistant may help phishers in reaching their goals. We found that Android users who have Google Assistant check their inbox will be reminded to carry out duties that are solicited in emails that have never been opened before. From a social-engineering perspective, attackers can send specific emails to Android users, and these users will receive notifications (from Google) “reminding” them that a task is soon due, thereby urging them to “fall for phish.” Just imagine: while going through your day, you suddenly receive a notification on your smartphone saying that “An outstanding task is soon due.” Tapping on the notification leads to opening an email which, if malicious, contains ill-purposed content, such as harmful links or malware attachments. The sense of urgency from the unexpected reminder may lead to overlooking some phishing cues—facilitating social engineering attacks.

This subtle (and novel) threat is rooted in the quintessential functionalities of smart (AI-based) assistants that passively analyze our data to improve our digital well-being. Users of these tools must be made aware of this issue to prevent harmful consequences. Therefore, besides describing our discovery and analysing it under a security lens, we also (i) carry out a user study to gauge the potential impact of this issue; and (ii) emphasize some practical takeaways for both users and developers. We disclosed our finding to Google: they acknowledged the possibility of attacks, but stated that no fix to their software will be made.

Paper PDF Cite IEEE Xplore Repository