Have you heard of ultrasonic tracking? You may not be aware of it but it doesn’t mean you aren’t subjected to it. As discovered by researchers at Technische Universit at Braunschweig Brunswick, Germany, more and more Android applications are listening for ultrasonic beacons in the background. This way companies are able to track users’ current location or their habits. Of course, users remain unaware of what is happening.
Related: Used Devices for Sale Contain Lots of Recoverable PII
To be more precise, the researchers have come across 234 Android apps capable of this type of tracking. They also unearthed four stores in two European cities that employ this technique to track users. The research is titled “Privacy Threats through Ultrasonic Side Channels on Mobile Devices”.
Device tracking is a serious threat to the privacy of users, as it enables spying on their habits and activities. A recent practice embeds ultrasonic beacons in audio and tracks them using the microphone of mobile devices.
What Is Ultrasonic Tracking (Ultrasonic Cross-Device Tracking)?
This technology uses inaudible, high-frequency sounds that link users’ devices (TVs, mobile devices, computers) to help advertisers with tracking. The ultrasounds can be embedded into TV and radio commercials, or may be hidden in JavaScript code in advertisements typically shown in browsers. The ultrasounds are inaudible to the human ear but are detected by microphones on devices. In other words, the user’s phone will know when to display an ad and even what type of ad to display.
The tracking happens via a receiving application which is already installed on a listening device. Even though there are cases of users consenting to this tracking, the examples of mobile apps doing this without users’ knowledge or permission are definitely a lot more.
Advertising platforms are known to employ ultrasonic tracking to track the ads people are watching and determine their effectiveness as well as the behavior afterwards. Do users buy the products shown in the ads? What time do users spend watching the ads? The more devices users are using, the more specific the answers to these questions become. The whole process serves to create better advertising profiles and takes targeted advertising to a whole new level.
Related: FalseGuide Malware Connects Android Devices to Adware Botnet
Corporations like Google and Nestle are either investing in this technology, or are likely relying on the services of companies that provide ultrasonic tracking like SilverPush or Signal360.
What about the specific 234 Android apps recently found by researchers? To outline this exact number, the experts went through millions of Android apps which were submitted to VirusTotal. Just a small number of apps were using the Shopkick and Lisnr. However, plenty of other apps were using the SilverPush SDK, which helps developers track users across multiple devices.
What Is the SilverPush Company Doing?
SilverPush is a company based in San Francisco specialized in developing cross-device tracking software used for user tracking and targeted advertising. The software developed by the company can be embedded into mobile apps. The software operates without the knowledge of users.
A research from April, 2015, revealed that the software developed by SilverPush was used by only a handful of apps. Nonetheless, this allowed the company to monitor18 million smartphones! These numbers have most certainly grown since then, and are most certainly continuing to grow.
The developers of Silverpush filed a patent whichrecently raised attention in the media due to its privacy threat: The patent proposes to mark TV commercials using ultrasonic beacons, thus allowing them to precisely track a user’s viewing habits. In contrast to other tracking products, however, the number and the names of the mobile applications carrying this functionality are unknown. Therefore, the user does not notice that her viewing habits are monitored and linked to the identity of her mobile devices.
As for the apps discovered by the researchers, they are characterized with a high coverage among users and are downloaded thousands of times. Even if the audio beacons are not embedded in TV commercial, the researchers’ findings indicate that SilverPush has launched its deployment on the receiver side, the research notes.
Related: Your Deleted Browser Records Could Still Be on Apple’s iCloud
All of this simply means that the difference between spying and tracking is becoming indistinguishable. The employment of ultrasonic tracking is turning into a serious privacy issue, enabling user deanonymization in various aspects.
How Can Users Protect Their Devices from Ultrasonic Cross-Device Tracking?
Protecting your device may not be that difficult after all, even though it may not correspond well with your habits. No matter if you are using Android or iOS you can configure your device so that an app is not allowed to use your device’s mic. Plenty of apps are asking for this permission without really needing it to function.
The researchers also offer other measures that could be added to Android: detection of implementations, and notification.
Detection of Implementations
An option is to scan for applications for known functionality of ultrasonic side channels, researchers suggest. As with a virus scanner, this detection can be applied locally on the device as well as globally on a market place. Detecting the corresponding functionality can be hindered by obfuscating the respective implementations.
Notification
Just as for Bluetooth or Wifi, a more sophisticated control of the audio recording is likely the best strategy for limiting the impact of ultrasonic side channels, the paper says. A mixture of user notifications and a status in the pull down menu will notify the user when a recording takes place. Simple as that!