As many as 234 Android apps which quietly track user locations and habits using ultrasonic signals have been downloaded over 11 million times so far.
These Android apps gain access to device microphones and use ultrasonic signals to exchange information with other devices, websites and shops.
In a research paper titled 'Privacy Threats through Ultrasonic Side Channels on Mobile Devices', researchers Daniel Arp, Erwin Quiring, Christian Wressnegger and Konrad Rieck have shed light on how hundreds of Android apps are invading privacy of Android device owners without the owners knowing about the invasion.
While Google Play Store requires apps to seek permissions from users for accessing various components, these apps gain access to device microphones without informing users on how they intend to exploit such access. The researchers revealed that ultrasonic beacons, which the human ear cannot perceive, were detected in various store locations and web media content which as many as 234 Android apps track in the background without the user’s knowledge.
"Recently, several companies have started to explore new ways to track user habits and activities with ultrasonic beacons. In particular, they embed these beacons in the ultrasonic frequency range between 18 and 20 kHz of audio content and detect them with regular mobile applications using the device’s microphone," the researchers noted.
They cited the example of an Android app named Shopkick which, using ultrasonic beacons installed in stores, can determine precisely when an app user entered a store. The user gets no information on when the microphone in his/her device has been activated nor is able to see which information is sent into company servers. The researchers have developed methods on how to detect these signals and are hence able to determine how many store and web media content have been employed to track user behaviour using ultrasonic signals.
SilverPush is a technology which is used by these apps to track user behaviour. Patented in 2015, it aims to mark TV commercials using ultrasonic beacons, thus allowing them to precisely track viewing habits of users. It can also identify users by linking them to the identity of their mobile devices, and is hence used by many Android apps to serve their purpose. Researchers noted that while only 5 such apps were using SilverPush in April 2015, as many as 234 Android apps are using it now.
"An adversary can monitor a user’s local TV viewing habits, track her visited locations and deduce her other devices. Furthermore, a side channel attack to Bitcoin or Tor users become even possible. In the end, an adversary is able to obtain a detailed, comprehensive user profile with a regular mobile application and the device’s microphone solely," the researchers concluded.
However, the makers of SilverPush claim that they have stopped supporting the technology after it came to light that it can be used to invade privacy of Android phone users. "We respect customer privacy and would not want to build our business foundation where privacy was questionable. Even when we were live, our software was not present in more than 10 to 12 apps. So there is no chance that our presence in 234 apps is possible," said Hitesh Chawla, founder of Silverpush, to Ars Technica.
""Every time a new handset gets activated with our software, we get a ping on our server. We have not received any activation for six months now," he added.
With such privacy concerns growing and with evidence on more apps intruding user privacy coming out, it is important for devices to feature pre-installed security software protection to protect users from unnamed or hidden threats. An example of this is an extended partnership between McAfee and Samsung, thanks to which McAfee is now offering McAfee LiveSafe on Samsung PCs, McAfee VirusScan on Galaxy S8 Smartphones and McAfee Security for Smart TVs.
“As the connected world of devices continues to expand into consumers’ homes, Samsung users can feel comfortable knowing that their devices are protected with the latest security solutions. We understand the importance of building security in devices from the start and are proud to offer solutions that provide convenience while keeping our customers safe,” said Henry Lee, VP of Mobile Security Technologies at Samsung.