It is already known that many Android apps track users without their knowledge, but now researchers have found that hundreds of applications could be tracking users covertly via inaudible sounds emitted by nearby devices. Researchers claim that such a technique can even be used to de-anonymize Tor and Bitcoin users.
Beacons help advertisers track your location
A team from the German Technical University of Braunschweig (Brunswick), found over 234 Android applications containing code called SilverPush, which listens for ultrasonic signals emitted by beacons or embedded in media. In April 2015, the researchers found that only six apps were using ultrasound cross-device tracking technology.
In recent years, companies have been hiding beacons in their ads to track users’ devices and learn more about them, notes the Independent. Beacons are ultrasonic audio signals that are inaudible to humans. Companies embed these beacons in the ultrasonic frequency range between 18 and 20 kHz of audio and detect them with regular mobile apps using the microphone of the device.
These beacons enable advertisers to track the location of users and find out what kinds of ads they see on their TV and which other devices they have. Thus, the apps, which are primarily intended to track the shopping habits and media consumption of users to assist in targeting advertising, could be used to establish the identities of users across several devices.
“Throughout our empirical study, we confirm that audio beacons can be embedded in sound, such that mobile devices spot them with high accuracy while humans do not perceive the ultrasonic signals consciously,” the researchers say.
Popular Android apps covertly spying on users
The research team identified such apps by comparing SilverPush code to a database of 1.3 million apps. However, the company that created the listening tool does not agree that its technology is still in use, as it stopped supporting the software after privacy issues, notes the Telegraph.
The researchers did not name any particular apps, but they did say that several have millions of downloads and are part of reputable companies such as Krispy Kreme and McDonald’s, notes the Independent. Those apps were installed by over 500,000 Android users. The other apps were targeted at users in the Philippines and India, and some had as many as 5 million downloads, notes Fortune.
The research team also detected ultrasonic beacons in four of the 35 retail stores they visited in Europe, but they were unsuccessful in finding any signals in media after reviewing over 140 hours of audio and television, notes Fortune. The researchers presented their findings at an IEEE conference late April.
According to the researchers, device tracking is a serious threat to users’ privacy because it enables advertisers to spy on their activities and habits. However, the threat is not as worrying either, as customers need to have the application open for advertisers to use them for tracking purposes.
Nevertheless, users should be very selective and careful about the apps they download on their mobile device. If any app is asking for permission to use your microphone or camera and you are suspicious, think twice before downloading it.
