Millions of Android devices may be surreptitiously listening for nearby audio signals that can be used to identify the devices’ owners, according to a new academic study.
The paper by the Technical University of Brunswick, Germany, found that more than 200 applications available on Google’s official Play store contained audio tracking code from Silverpush, a startup founded in New Delhi, India, and now also operating in the US.
The finding is worrying because some of the apps involved are popular, with more than one million downloads, or are produced by well-known brands, including McDonald’s and Krispy Kreme, and because they don’t inform the user that the tracking activity is taking place.
Audio-based tracking can be used to degrade users’ privacy, identifying users across devices and even potentially helping reveal the identities of Bitcoin and Tor users, according to the researchers.
A text message app developed in India and a word game popular in the Philippines had both been downloaded between one million and five million times, according to official Google figures cited in the paper.
The apps produced by McDonald’s and Krispy Kreme for the Philippines market also contained Silverpush listening code, and had been downloaded between 100,000 and 500,000 times, the paper said.
Silverpush came to public notice in October 2015 when the US’ Federal Trade Commission (FTC) sent warning letters to 12 unnamed app developers warning that their use of Silverpush features to track users without their consent could make the products illegal in the US.
The technology was particularly concerning as it listened all the time, even when the application wasn’t in use, according to the Centre for Democracy and Technology. The beacons are intended to identify users across multiple devices in order to help make advertising more effective.
Silverpush said shortly afterward it was abandoning its use of ultrasonic beacons, which were intended to be embedded in online, audio and television ads that would be detected by software running on a user’s mobile device.
The company confirmed to technology website Ars Technica that it had not used the audio beacons since late 2015.
The Brunswick researchers, however, said they verified that the 234 samples collected all contained code that covertly listened for and identified ultrasonic audio beacons.
“The case of Silverpush emphasises that the step between spying and legitimately tracking is rather small,” they wrote.
While they were unable to identify any beacons embedded in television feeds from seven countries, including the US, the Philippines and India, the researchers concluded the infrastructure is in place for such beacons to be deployed and tracked.
Google confirmed that Play requires apps to disclose how an app collects and uses data, but didn’t respond to a request for comment as to why the apps involved remain on the official marketplace.
Silverpush did not immediately respond to a request for further comment.
The researchers analysed two other apps, Lisnr and Shopkick, and found that both are actively embedding ultrasonic beacons, Lisnr in music and Shopkick in physical shops.
In their cases, however, users are aware that the apps are listening for ultrasonic signals.
“Throughout our empirical study, we confirm that audio beacons can be embedded in sound, such that mobile devices spot them with high accuracy while humans do not perceive the ultrasonic signals consciously,” the researchers wrote.
Lisnr transmits data packets in ultrasonic signals embedded in music, while Shopkick rewards consumers for entering participating shops, which are identified by the audio beacons.
The study found that Shopkick beacons were used in four of the 35 shops tested in two European cities.
“Our findings strengthen our concerns that the deployment of ultrasonic tracking increases in the wild and therefore needs serious attention regarding its privacy consequences,” the paper states.
What do you know about the history of mobile messaging? Find out with our quiz!
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
US prosecutors confirm earlier reports, demand Google sells off Chrome web browser and end default…
Following Australia? Technology secretary Peter Kyle says possible ban on social media for under-16s in…