Hundreds Of Android Apps Silently Track Users With Ultrasounds

By Lucian Armasu
published

Researchers from the Brunswick Technical University in Germany discovered that many Android applications have used ultrasonic beacons to track users without their knowledge.

Ultrasonic Tracking

Over the past few years, advertisers have started taking advantage of a technology called ultrasound cross-device tracking (uXDT) to track mobile users and build extensive profiles on them.

The Brunswick Technical University researchers initially found that only six applications tracked users with this technology in April 2015. By December, the same year, the number of applications that supported uXDT grew to 39. In a recent investigation, the researchers found 234 Android applications tracked users with uXDT. They also found that four out of 35 retail stores in two cities use the same technology to track their customers.

How uXDT Works

The way uXDT works is that advertisers embed ultrasounds in the ads they play on TV or radio in the 18-20kHZ frequency range, and then smartphones or PCs with microphones pick up those sounds. This will tell the advertisers what kind of ads people are watching on TV, what type of phones they use, their location, and other advertising-relevant type of information such as user behavior.

According to the researchers, the ultrasonic tracking can also be used to de-anonymize Tor users. The devices the Tor users own could give them away when some of the apps they install contain code that can intercept ultrasounds with the phone’s microphone.

Right now, the ultrasonic tracking isn’t as dangerous as it could be for user privacy, because you still have to open the apps that contain this listening code for the tracking to work.

You also need to accept the RECORD_AUDIO permission in the apps that use ultrasonic tracking code. However, many users don’t typically pay attention to which permissions they allow when they install an app, or they may believe other important features within the app require the audio recording permission to be enabled.

If this becomes a common way for advertisers to track users, many more apps, as well as popular apps with tens of millions of users, could end up using the same technology. This could make avoiding ultrasonic tracking much harder to avoid in the future, especially if platform vendors such as Google don’t impose restrictions on this type of tracking.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
16 Comments Comment from the forums
  • David_713
    A list of apps would be helpful!
    Reply
  • David_713
    The Brunswick Technical University link is dead.
    Reply
  • toadhammer
    If you read the source research paper, it's clear they don't have a list of confirmed apps, just what their machine learning guessed might be doing it. If you search 'SilverPush', you'll see they claim '67 apps' were using their code and the FTC says they 'warned 12 unidentified Android app developers.' No one's willing to disclose actual apps due to the toxic privacy issues.

    Lucian, if you're granting microphone permissions to your apps, location tracking may be the least invasive privacy problem you have since it can record anything it hears, not just audio beacons.
    Reply
  • Achoo22
    This has gotten way out of hand. People should be ANGRY.
    Reply
  • matthelm
    I just found the list of those 67 apps. Anyone that used them deserves to be tracked!
    Reply
  • Kewlx25
    The platform should filter out high frequency sound.
    Reply
  • g-unit1111
    Once again it all comes back to advertising. Which is why I hate the marketing and advertising industry. What are they doing with all this data? Why do they need this data?
    Reply
  • alextheblue
    19649080 said:
    Once again it all comes back to advertising. Which is why I hate the marketing and advertising industry. What are they doing with all this data? Why do they need this data?
    For those who use modern smartplatforms extensively, some data is necessary for the operation of things like increasingly-sophisticated apps and digital assistants. But a lot of it is collected purely for the sake of highly targeted ads, and much of it goes way too far. The other problem is that even when they collect necessary data for proper operation of assistants or other software, they don't ONLY collect it for that purpose. It goes right in the pot with all the other data they've collected on you... outfits like Google/Alphabet and Facebook are especially big on this. That's why they keep offering more and more "free" services/apps/etc and growing their "software suite". The more things of theirs you use, the more data they milk. Email, documents, search for keywords and tag you with them. Youtube, track videos watched, search through comments, etc. It never ends. They're almost entirely ad revenue and thus they and others like them are the biggest offenders. But even those who aren't in it just for ad revenue aren't completely saints either.
    Reply
  • g-unit1111
    19649300 said:
    That's why they keep offering more and more "free" services/apps/etc and growing their "software suite". The more things of theirs you use, the more data they milk. Email, documents, search for keywords and tag you with them. Youtube, track videos watched, search through comments, etc. It never ends. They're almost entirely ad revenue and thus they and others like them are the biggest offenders. But even those who aren't in it just for ad revenue aren't completely saints either.

    Yeah that's a good point - it seems like it's just a more sophisticated way of delivering ad content. I try to block ads at every possible opportunity I get. It gets exhausting, but watching commercials everywhere is something I don't particularly want to spend my time doing. And it doesn't guarantee I'm going to buy their product either. :lol:
    Reply
  • drajitsh
    It should be legislated that once you pay to remove ads, then the tracking mechanisms must also be disabled simultaneously.
    Reply