Hundreds of Android apps are surreptitiously spying on users every day, using ultrasonic beacons, according to a new study. Researchers say that ultrasonic beacons embedded into apps can track users via a mobile's microphone, without users' knowledge. Researchers said that they have found 234 Android apps currently using ultrasonic beacons to track users.
Researchers from the Brunswick Technical University in Germany, in a research paper titled "Privacy Threats through Ultrasonic Side Channels on Mobile Devices", said that various firms have begun exploring new tech options to track user habits and activities. "Several among them have millions of downloads or are part of reputable companies, such as McDonald's and Krispy Kreme," researchers said.
Researchers also noted that 4 of 35 stores in two countries in Europe also use ultrasonic beacons for location tracking.
"Ultrasonic side channels on mobile devices can be a threat to the privacy of a user, as they enable unnoticeably tracking locations, behavior and devices," researchers said. For instance, users' TV habits can be spied on; ultrasonic beacons can also be used to determine what other devices belong to the user and also potentially link a user's personal and business devices "providing a potential infection vector for targeted attacks."
Researchers also said that ultrasonic beacons can help in tracking users' indoor movements, without the need for GPS. The ultrasonic tracking system can also be used to de-anonymize Tor users, potentially providing an avenue for "a side channel attack to Bitcoin or Tor users."
"In the end, an adversary is able to obtain a detailed, comprehensive user profile with a regular mobile application and the device's microphone solely," researchers said. "We confirm that audio beacons can be embedded in sound, such that mobile devices spot them with high accuracy while humans do not perceive the ultrasonic signals consciously."