You are using an outdated browser. Please upgrade your browser to improve your experience.

This Scam App Wants to Trick Amazon Echo Users Into Taking a Huge Security Risk

May 13, 2019

Update 5/17: The app has been pulled from the App Store.

The App Store will celebrate its 11th birthday in July. But even after more than a decade of existence, Apple still can’t seem to get a handle on apps that have a single purpose – scam users out of money.

The Problem Continues

The Problem Continues

In late November, 9to5Mac exposed an app that used some on-screen trickery while claiming to read your heart rate via Touch ID. Anyone who fell for the scam was out $89.99.

But just as one scam disappears, another pops up. The latest one we’ve uncovered is Echo Setup App. You can take a look at the App Store page here, but obviously don’t download it.

Arriving in late April, the app has made its way to as high as No. 90 on the free apps in the Productivity section. And it’s a complete and utter ripoff that takes the infamous technical support scam to the “walled garden” of the App Store.

A Troubling Scam

A Troubling Scam

If you’re not familiar with the tech support scam, it uses social engineering to prey on users without much tech savvy. The scammers cold call potential victims saying that their computer has a problem with a virus or some other kind of issue.

Once they find someone who believes the spiel, they then direct the victim to provide remote access to their computer. Then, the scammer can gain access to credit card or banking information or even forcing the users to pay for their “service.”

Echo Setup App is aimed at users new to the Amazon Echo line of smart speakers powered by the Alexa voice assistant.

The official Amazon Alexa app is actually used to set up any one of the speakers. But some users might not read the instructions included with any Echo device and download the scam app from “developer” Hitseh Kumar. He’s not exactly from Amazon.

What it Does

What it Does

Just by reading the app notes full of broken English, it’s obvious that the app is a scam, especially when you read the last line that references being able to “talk to our support team.” The app support link also directs users to a sketchy site claiming to help users find Alexa skills and set up their devices with just a call to a toll-free number.

And the app reviews confirm the worse. To see what happened first hand, I downloaded the app to see what would happen.

To start, I selected my device from a menu. On the next page, the app told me to plug in my Echo and then wait for an orange light. The next screen is where the scam begins and asks users to press a button to download the Alexa app.

Each time I tried, the “download” stopped at 69 percent. (Scammers apparently have the sense of humor of a 14-year-old boy, go figure.)

A dialog box requested that I call the same toll-free number, 1-844-299-3555, scattered throughout the app.

I played along with the agent “Victor.” And in less than 60 seconds, he was asking me to log on to a site to begin the remote access process. I hung up. But someone less savvy might have fallen for the spiel.

At least one of the reviews stated that they went further than I did, and was told that there was a $5 per minute charge and that the “support” team needed to take remote control of a computer to finish the setup.

With control of a computer, the scammers could take much more than just money.

Why Can't Apple Stop This?

Why Can't Apple Stop This?

Simply put, there’s no reason an app like this should have ever been approved by the App Store team. The Echo Setup App screams scam from just a cursory look at the app notes and images.

On Twitter, real developers talk every day about how Apple rejects new apps or updates because of the slightest mundane issue. Why can’t the same amount of scrutiny be given to every app submitted for approval?

Apple is counting on revenue from services, including the App Store, to power the company through declining iPhone sales. But the company has to do better to make sure apps like Echo Setup App never see the light of day so consumers don’t have to worry about being scammed out of financial data, or maybe even worse – private data from their computer.