Android Apps with Ultrasonic Beacons Track People's Daily Habits

As if consumers didn’t have enough to worry about when it comes to privacy, researchers have uncovered a slew of Android apps that silently send out ultrasonic signals that allow devices to be tracked—without their owners having any idea.

According to academic research from Technische Universitat Braunschweig in Brunswick, Germany, these apps embed ultrasonic beacons into audio, and track them using the microphone of mobile devices. All of it is outside of the human range of hearing, so people are none the wiser.

“This side channel allows an adversary to identify a user’s current location, spy on her TV viewing habits or link together her different mobile devices,” the authors explained. “We spot ultrasonic beacons in various web media content and detect signals in four of 35 stores in two European cities that are used for location tracking…[and] we spot 234 Android applications that are constantly listening for ultrasonic beacons in the background without the user’s knowledge.”

As the reference to the stores indicates, this functionality is mainly used for location-based advertising. For instance, the mobile application Shopkick provides rewards to users if they walk into certain Shopkick partner stores. And in the case of mobile applications like Lisnr and Signal360, users will receive location-specific content on mobile devices such as vouchers for festivals and sport events.

Rather than using GPS tracking, long a privacy-busting bugbear—these apps use ultrasonic beacons. Speakers at the entrance to a shop will emit an audio beacon that lets an app determine whether the user walked into a store.

“Once the user has installed these applications on her phone, she neither knows when the microphone is activated nor is she able to see which information is sent to the company servers,” the authors said.

The functionality is also enabled via an SDK known as Silverpush. The researchers found that its prevalence is on the rise: While in April 2015 only six instances were known, they identified 39 further instances in a dataset of about 1.3 million applications in December 2015, and now, there’s a total of 234 samples containing SilverPush.

For now ultrasonic beaconing is a mobile-application gambit—but that could change with SilverPush.

“Although we could not detect any beacons in actual TV audio, we observe that the number of applications embedding the SDK constantly increases,” the authors said. “We conclude that even if the tracking through TV content is not actively used yet, the monitoring functionality is already deployed in mobile applications and might become a serious privacy threat in the near future.”

That threat is multi-pronged and goes far beyond basic location-tracking; for instance, an adversary could mark digital media in TV, radio or the web with ultrasonic beacons and track their consumption using the victim’s mobile device. Actors can also use ultrasonic signals to know which mobile devices belong to which individual, to track behavior and purchase habits across devices. This means that advertisers can show more tailored advertisements, but more sinisterly, an adversary can link together the private and business devices of a user to provide a vector for targeted attacks. Then there’s de-anonymization.

“The side channel through ultrasonic codes makes the de-pseudonymization of Bitcoin and de-anonymization of Tor users possible,” the researchers said. “As an example, a malicious web service can disclose the relation between a Bitcoin address and a user’s real-world identity.”

All in all, it’s a potential threat that is set to escalate.

“In summary, an adversary is able to obtain a detailed, comprehensive user profile by creating an ultrasonic side channel between the mobile device and an audio sender,” the paper concluded. “At the time of writing, we are aware of 234 Silverpush Android applications that are listening in the background for inaudible beacons in TV without the user’s knowledge. Several among them have millions of downloads or are part of reputable companies, such as McDonald’s and Krispy Kreme.”

Researchers added, “Our findings strengthen our concerns that the deployment of ultrasonic tracking increases in the wild and therefore needs serious attention regarding its privacy consequences.”

What’s Hot on Infosecurity Magazine?