Hundreds Of Android Apps Silently Track Users With Ultrasounds
Researchers from the Brunswick Technical University in Germany discovered that many Android applications have used ultrasonic beacons to track users without their knowledge.
Ultrasonic Tracking
Over the past few years, advertisers have started taking advantage of a technology called ultrasound cross-device tracking (uXDT) to track mobile users and build extensive profiles on them.
The Brunswick Technical University researchers initially found that only six applications tracked users with this technology in April 2015. By December, the same year, the number of applications that supported uXDT grew to 39. In a recent investigation, the researchers found 234 Android applications tracked users with uXDT. They also found that four out of 35 retail stores in two cities use the same technology to track their customers.
How uXDT Works
The way uXDT works is that advertisers embed ultrasounds in the ads they play on TV or radio in the 18-20kHZ frequency range, and then smartphones or PCs with microphones pick up those sounds. This will tell the advertisers what kind of ads people are watching on TV, what type of phones they use, their location, and other advertising-relevant type of information such as user behavior.
According to the researchers, the ultrasonic tracking can also be used to de-anonymize Tor users. The devices the Tor users own could give them away when some of the apps they install contain code that can intercept ultrasounds with the phone’s microphone.
Right now, the ultrasonic tracking isn’t as dangerous as it could be for user privacy, because you still have to open the apps that contain this listening code for the tracking to work.
You also need to accept the RECORD_AUDIO permission in the apps that use ultrasonic tracking code. However, many users don’t typically pay attention to which permissions they allow when they install an app, or they may believe other important features within the app require the audio recording permission to be enabled.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
If this becomes a common way for advertisers to track users, many more apps, as well as popular apps with tens of millions of users, could end up using the same technology. This could make avoiding ultrasonic tracking much harder to avoid in the future, especially if platform vendors such as Google don’t impose restrictions on this type of tracking.
Zero-day Windows NTLM hash vulnerability gets patched by third-party — credentials can be hijacked by merely viewing a malicious file in File Explorer
US govt says Cisco gear often targeted in China's Salt Typhoon attacks on 8 telecommunications providers — issues Cisco-specific advice to patch networks to fend off attacks
-
toadhammer If you read the source research paper, it's clear they don't have a list of confirmed apps, just what their machine learning guessed might be doing it. If you search 'SilverPush', you'll see they claim '67 apps' were using their code and the FTC says they 'warned 12 unidentified Android app developers.' No one's willing to disclose actual apps due to the toxic privacy issues.Reply
Lucian, if you're granting microphone permissions to your apps, location tracking may be the least invasive privacy problem you have since it can record anything it hears, not just audio beacons. -
matthelm I just found the list of those 67 apps. Anyone that used them deserves to be tracked!Reply -
g-unit1111 Once again it all comes back to advertising. Which is why I hate the marketing and advertising industry. What are they doing with all this data? Why do they need this data?Reply -
alextheblue
For those who use modern smartplatforms extensively, some data is necessary for the operation of things like increasingly-sophisticated apps and digital assistants. But a lot of it is collected purely for the sake of highly targeted ads, and much of it goes way too far. The other problem is that even when they collect necessary data for proper operation of assistants or other software, they don't ONLY collect it for that purpose. It goes right in the pot with all the other data they've collected on you... outfits like Google/Alphabet and Facebook are especially big on this. That's why they keep offering more and more "free" services/apps/etc and growing their "software suite". The more things of theirs you use, the more data they milk. Email, documents, search for keywords and tag you with them. Youtube, track videos watched, search through comments, etc. It never ends. They're almost entirely ad revenue and thus they and others like them are the biggest offenders. But even those who aren't in it just for ad revenue aren't completely saints either.19649080 said:Once again it all comes back to advertising. Which is why I hate the marketing and advertising industry. What are they doing with all this data? Why do they need this data? -
g-unit1111 19649300 said:That's why they keep offering more and more "free" services/apps/etc and growing their "software suite". The more things of theirs you use, the more data they milk. Email, documents, search for keywords and tag you with them. Youtube, track videos watched, search through comments, etc. It never ends. They're almost entirely ad revenue and thus they and others like them are the biggest offenders. But even those who aren't in it just for ad revenue aren't completely saints either.
Yeah that's a good point - it seems like it's just a more sophisticated way of delivering ad content. I try to block ads at every possible opportunity I get. It gets exhausting, but watching commercials everywhere is something I don't particularly want to spend my time doing. And it doesn't guarantee I'm going to buy their product either. :lol: -
drajitsh It should be legislated that once you pay to remove ads, then the tracking mechanisms must also be disabled simultaneously.Reply