Millions Of Android Devices ‘Covertly Listening For Audio Beacons’
More than 200 apps on Google Play contain code that listens for ultrasonic beacons in order to identify users across multiple devices, finds a study
Millions of Android devices may be surreptitiously listening for nearby audio signals that can be used to identify the devices’ owners, according to a new academic study.
The paper by the Technical University of Brunswick, Germany, found that more than 200 applications available on Google’s official Play store contained audio tracking code from Silverpush, a startup founded in New Delhi, India, and now also operating in the US.
Audio beacons
The finding is worrying because some of the apps involved are popular, with more than one million downloads, or are produced by well-known brands, including McDonald’s and Krispy Kreme, and because they don’t inform the user that the tracking activity is taking place.
Audio-based tracking can be used to degrade users’ privacy, identifying users across devices and even potentially helping reveal the identities of Bitcoin and Tor users, according to the researchers.
They found a total of 234 apps on Google Play that included Silverpush listening code, including some with large numbers of downloads.
A text message app developed in India and a word game popular in the Philippines had both been downloaded between one million and five million times, according to official Google figures cited in the paper.
The apps produced by McDonald’s and Krispy Kreme for the Philippines market also contained Silverpush listening code, and had been downloaded between 100,000 and 500,000 times, the paper said.
Covert tracking
Silverpush came to public notice in October 2015 when the US’ Federal Trade Commission (FTC) sent warning letters to 12 unnamed app developers warning that their use of Silverpush features to track users without their consent could make the products illegal in the US.
The technology was particularly concerning as it listened all the time, even when the application wasn’t in use, according to the Centre for Democracy and Technology. The beacons are intended to identify users across multiple devices in order to help make advertising more effective.
Silverpush said shortly afterward it was abandoning its use of ultrasonic beacons, which were intended to be embedded in online, audio and television ads that would be detected by software running on a user’s mobile device.
The company confirmed to technology website Ars Technica that it had not used the audio beacons since late 2015.
No user consent
The Brunswick researchers, however, said they verified that the 234 samples collected all contained code that covertly listened for and identified ultrasonic audio beacons.
“The case of Silverpush emphasises that the step between spying and legitimately tracking is rather small,” they wrote.
While they were unable to identify any beacons embedded in television feeds from seven countries, including the US, the Philippines and India, the researchers concluded the infrastructure is in place for such beacons to be deployed and tracked.
“Even if the tracking through TV content is not actively used yet, the monitoring functionality is already deployed in mobile applications and might become a serious privacy threat in the near future,” the study states.
Google confirmed that Play requires apps to disclose how an app collects and uses data, but didn’t respond to a request for comment as to why the apps involved remain on the official marketplace.
Silverpush did not immediately respond to a request for further comment.
Active exploitation
The researchers analysed two other apps, Lisnr and Shopkick, and found that both are actively embedding ultrasonic beacons, Lisnr in music and Shopkick in physical shops.
In their cases, however, users are aware that the apps are listening for ultrasonic signals.
“Throughout our empirical study, we confirm that audio beacons can be embedded in sound, such that mobile devices spot them with high accuracy while humans do not perceive the ultrasonic signals consciously,” the researchers wrote.
Lisnr transmits data packets in ultrasonic signals embedded in music, while Shopkick rewards consumers for entering participating shops, which are identified by the audio beacons.
The study found that Shopkick beacons were used in four of the 35 shops tested in two European cities.
“Our findings strengthen our concerns that the deployment of ultrasonic tracking increases in the wild and therefore needs serious attention regarding its privacy consequences,” the paper states.
What do you know about the history of mobile messaging? Find out with our quiz!