Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Android Google

Over 200 Android Apps Are Currently Using Ultrasonic Beacons To Track Users (bleepingcomputer.com) 192

Catalin Cimpanu, writing for BleepingComputer: A team of researchers from the Brunswick Technical University in Germany has discovered an alarming number of Android apps (234, to be exact) that employ ultrasonic tracking beacons to track users and their nearby environment. Their research paper focused on the technology of ultrasound cross-device tracking (uXDT) that became very popular in the last three years. uXDT is the practice of advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y" and links their two previous advertising profiles together, creating a broader picture of the user's interests, device portfolio, home, and even family members.
This discussion has been archived. No new comments can be posted.

Over 200 Android Apps Are Currently Using Ultrasonic Beacons To Track Users

Comments Filter:
  • by RJFerret ( 1279530 ) on Thursday May 04, 2017 @09:48AM (#54354327)

    I already have a firewall and Hosts file on my phone to inhibit stuff talking to the world that I don't choose, but certain things I want to have 'net data access...

    Obviously Android permissions are only so fine-grained and more and more users (particularly of younger generations) accept any of them.

    A piece of tape over a webcam is one thing, but to disable a mic, not so easy to open things up nowadays to cut a wire!

    • by AmiMoJo ( 196126 ) on Thursday May 04, 2017 @09:54AM (#54354367) Homepage Journal

      Just open up your phone and unplug the microphone. No-one uses those things to make calls any more anyway.

      I remember a few years back someone modded a flip phone with a magnetic switch so that when it was closed the mic was physically disabled. This was around the time that details of MI5/NSA malware that could turn the mic on were coming out. If someone made a phone with a physical slider that disabled the mic and camera, or even just a magnetic switch and a flip open cover with a magnet in it, I'd buy that.

      Also, phone mics should have a hardware low pass filter that cuts off stuff above the human hearing range. In fact I'm surprised that they don't... Android could block it with a bit of software filtering too, or just deny the app permission to use the microphone.

      • by Baron_Yam ( 643147 ) on Thursday May 04, 2017 @10:14AM (#54354499)

        1a) Hardware switches need to come back into fashion. CUT THE WIRES. Since physical switches have an irritating habit of failing, they need to be easily replaceable, so they need to plug in and touch contact points, not be soldered in.

        1b) These switches should exist for power and every corruptible/interceptable I/O path. If a light sensor senses, an LED blinks, a mic listens, or tone is generated, there should be a physical, circuit-interrupting switch to kill the related hardware. If there isn't, your device isn't as secure as it could be.

        2) The OS should fake permissions for apps, since so many refuse to run without access they don't actually require. Instead of 'yes/no' when access is requested, we need the options 'yes', 'no', and 'fake it'. Anybody who demands location, camera, mic, contact, and file access to run their app that needs none of that should not be respected enough that you have to go with 'just do not install'. They're immoral, you be immoral right back.

      • by sims 2 ( 994794 )

        I would love a software filter to take that high pitched bad mic whine out of old tv shows but I've never found one.
        It doesn't bother most people because most people can't hear it such as why they didn't fix the mic at the time.

      • by antdude ( 79039 )

        Void its warranty? What if we need the mic to talk to it like phone calls?

  • by Anonymous Coward

    But is there a list of these know apps?

  • Which Apps??? (Score:5, Insightful)

    by Rob Riggs ( 6418 ) on Thursday May 04, 2017 @09:49AM (#54354333) Homepage Journal
    Completely useless, alarmist, unactionable article. Name names, dammit.
    • If I understand it correctly: any app that shows ads is a potential beacon. Not just the 200 or so that record the sounds, it's the ads that emit the sounds. As long as you use an app with ads (like most apps have), and are near someone with one such listening apps on their device, you may be tracked ultrasonically.

  • by Baron_Yam ( 643147 ) on Thursday May 04, 2017 @09:51AM (#54354347)

    >When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y"

    Imagine you're on your phone and browsing the web. You load one of those ads, and your phone now broadcasts your advertiser-assigned unique ID via ultrasound. OK. Who says it has to be another device YOU own that picks it up?

    How difficult would it be to drop listening devices in high traffic areas that listen for those tones, sending location information back to whoever? And that's just to augment other devices that might be infected with a listen-and-report app.

    This isn't an advertising tool, it's a ubiquitous surveillance tool for three-letter-agencies that advertisers have discovered. That is, of course, assuming it actually works outside a lab and isn't just an untested fantasy the ad types latched onto.

    Anyway, IF phones can both transmit and detect ultrasonic tones (which I question), it's only a matter of time until someone produces a 'secure' phone that has physical filters in line with the speaker and mic wires to filter out anything outside the range of human hearing.

    • New app needed. (Score:5, Interesting)

      by BarbaraHudson ( 3785311 ) <.moc.duolci. .ta. .nosduh.enaj.arabrab.> on Thursday May 04, 2017 @09:54AM (#54354363) Journal
      Wanted: an app that broadcasts ALL these signals, making them think you've got every product already, so they won't waste their time trying to sell you anything. Or just pollute their data to the point it's useless.
      • by Z00L00K ( 682162 )

        Alternatively an app that can detect this.

      • Re:New app needed. (Score:4, Interesting)

        by Baron_Yam ( 643147 ) on Thursday May 04, 2017 @10:05AM (#54354453)

        >Wanted: an app that broadcasts ALL these signals, making them think you've got every product already, so they won't waste their time trying to sell you anything.

        Since to be useful the sound must be unique to the user (in order to be matched to you by the receiving device), you'd need to know their algorithm for generating the sounds. It's probably a hash of some unique device ID available to applications, and not terribly difficult to figure out, but it's not as simple as 'broadcast it all!'

        >Or just pollute their data to the point it's useless

        An ultrasonic static generator would be more practical. Drown out any signals you haven't noticed and silenced with noise. You might piss off your dog, though.

        • The article says that each device generates a unique ID. Random IDs should work, since they won't know ahead of time what ID a particular device will generate.
          • if they are flooded with noise making them useless then unique IDs will be unreachable to their tools still making their clever hack useless, if turning off the microphone is not easy or not possible just bury their spyware in noise
      • that is a good idea, flood them with so much noise that they become useless, if you cant turn it off, turn it on and up so much that they are buried over their heads in the noise they were looking for
      • by Altrag ( 195300 )

        You're assuming they care about you. They don't. If they're missing one out of their hundred million data points, they won't even give a collective shrug.

        You would need to convince a significant number of people to install whatever blocking/polluting app for it to have any effect at all. If anything, being the one polluter in your region would make you stand out just as much as your ID would.

        Not to mention humans aren't the only ears around. Dumping advertising signal into the ultrasonic is questionable

        • Just to avoid being added as a single row in a database so large that you aren't even a rounding error.

          Those rounding errors add up. See "Office Space [imdb.com]." That's what got them into the mess in the first place.

          Peter spends the next several days hanging with Joanna and fishing with Lawrence. He shows up back at Initech at the request of the Bobs to find out that not only is he getting a promotion, people reporting to him, a raise and stock options, but that among others both Samir and Michael Bolton are being fired. He meets with his friends that night and asks Michael Bolton if the virus he's always talking about will really work. Michael explains that the virus will take the fractions of a penny that remain on every bank transaction and deposit them into an account. The theft will be so gradual that it will take years before it's even noticed. The three friends agree that it's a foolproof scam, and decide to put it in motion the following day before Samir and Michael are let go for good. They also agree not to tell anyone else, even though Lawrence has heard all the details of the plan through the apartment wall. Peter assures Samir and Michael that "he's cool."

          The next morning Peter checks the balance in the illicit penny-pinching scam account and finds it is a shocking $305,326.13! The three friends meet, and Michael chalks the glitch up to a mundane detail that he's possibly overlooked.

        • How about if our hypothetical app listened for the signals from everyone else's devices and just randomly repeated them? If enough people used the "Echo" app the data set would become useless.
          • by Altrag ( 195300 )

            That's definitely better for not spamming the ultrasonic frequencies and annoying dogs everywhere, but this:

            If enough people

            is still a massive flaw in your design.

    • Imagine if an ad played on the TVs in a place like Best Buy. This is starting to behave like a virus.
      • by Anonymous Coward on Thursday May 04, 2017 @12:15PM (#54355431)

        "Hey there, Jim. Looks like you're in the market for a new TV. This Samsung 65" 4K model would look perfect from any point in your 10' by 20' living room. If you're not sure, just go ask Bob next door. He bought one last week and the whole family has been enjoying its crystal clear display. You can even control it from your iPhone 6 Plus, but the experience is much better with a new Samsung phone. Have you considered upgrading that? Don't worry, your MacBook Air will still connect to any new Samsung phone or television. What do you say Jimbo? Oh, you're more interested in the 50" models? You wouldn't be getting quite the same experience, but... Oh no, Jimmy, you don't want one of those Vizios, just slide on back to the Samsungs. Jimboree? Jim-jam? James? Come back here before I tell your wife where you were last Thursday night."

    • by wbr1 ( 2538558 )
      This. My phone goes lots of places. It has my location data. So, if an app has access to location data, it is far easier to link based off of that and ip data. Presumable when my phone is at a residential address, and my IP on the phone is the same as the one on other devices (tv, PC, etc) that can create a linkage. However ultrasound? What if I am at a friends an it picks up his/her TV, or anywhere else? What if it is an ad on a TV in a bar? I think the SNR here too high to be useful for advertiser
    • >When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y"

      Imagine you're on your phone and browsing the web. You load one of those ads, and your phone now broadcasts your advertiser-assigned unique ID via ultrasound. OK. Who says it has to be another device YOU own that picks it up?

      How difficult would it be to drop listening devices in high traffic areas that listen for those tones, sending location information back to whoever? And that's just to augment other devices that might be infected with a listen-and-report app.

      This isn't an advertising tool, it's a ubiquitous surveillance tool for three-letter-agencies that advertisers have discovered. That is, of course, assuming it actually works outside a lab and isn't just an untested fantasy the ad types latched onto.

      Anyway, IF phones can both transmit and detect ultrasonic tones (which I question), it's only a matter of time until someone produces a 'secure' phone that has physical filters in line with the speaker and mic wires to filter out anything outside the range of human hearing.

      Your phone definitely already does this if you visit the right websites. I have seen several big name URLs play ads (don't ask me the URLs cause I forget them, but they're mostly news related) that cause the music I am listening to to pause and for some embedded audioclip to play in that website. Drives me freaking nuts!

    • by GuB-42 ( 2483988 )

      How difficult would it be to drop listening devices in high traffic areas that listen for those tones, sending location information back to whoever? And that's just to augment other devices that might be infected with a listen-and-report app.

      Pretty hard actually. Ultrasounds have short range and noisy area with plenty of moving obstacles isn't the best place to put such a system.
      And smartphones have some form of filtering out of inaudible frequencies. Ultrasounds are considered useless, so why waste energy amplifying these signals. And why waste bitrate transmitting them digitally. Speakers working in the human hearing range don't like them either, it's like feeding the treble to a subwoofer.

  • by mystik ( 38627 ) on Thursday May 04, 2017 @09:55AM (#54354379) Homepage Journal

    Cited research paper:

    http://christian.wressnegger.i... [wressnegger.info]

    Found via the reddit thread on the same topic, It names a few of the apps, primarily using the SilverPush library.

  • This sounds just a hair too far 'out there' , still that is ugly.

    The assumption ( other devices are owned by you) would be false under many circumstances so this tech, if it actually exists would be near to useless for that purpose. There are devices owned by other people in your home, your office , and the coffee shop you go to regularly. Of coarse you might be able to make smart assumptions about a lot of this but the articles 'other devices in your home' is obviously not a simple use case for such a th

  • the apps/developers (Score:5, Informative)

    by nomadic ( 141991 ) <[moc.liamg] [ta] [dlrowcidamon]> on Thursday May 04, 2017 @10:19AM (#54354535) Homepage

    According to the article, offending apps seem to be mostly from India and the Philippines. They list 5 "representative apps" with developers:

    Application Name Developer Version Downloads
    100000+ SMS Messages Moziberg 2.4 1,000,000 – 5,000,000
    McDo Philippines Golden Arches Dev. Corp. 1.4.27 100,000 – 500,000
    Krispy Kreme Philippines Mobext 1.9 100,000 – 500,000
    Pinoy Henyo Jayson Tamayo 4.0 1,000,000 – 5,000,000
    Civil Service Reviewer Free Jayson Tamayo 1.1 50,000 – 100,000
    TABLE 2: Third-party applications with SilverPush functionality

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Xaxis, who is owned by WPP (one of the largest marketing agencies on the planet) has been selling this service for a few years: https://www.xaxis.com/products/view/xaxis-sync

  • iPhone also? (Score:5, Interesting)

    by Highdude702 ( 4456913 ) on Thursday May 04, 2017 @10:28AM (#54354623)

    I'm pretty sure Pandora does this on iPhone also. Last week I was on an artists site and listening to pandora on my phone. All of a sudden a song by that artist was played on a channel that was completely unrelated to that type of music. Kind of odd I thought, as I've had this happen before simply by talking to a friend about a song, and the very next song is the one we had talked about. Or maybe I'm just crazy.

    • by Parsec ( 1702 )

      a channel that was completely unrelated to that type of music

      This is too often my experience with Pandora.

    • by chihowa ( 366380 )

      Pandora did ask for access to my microphone when I installed it. Not seeing any legitimate need for that, I denied it, but you may be on to something.

    • Pandora does this even without a microphone in the vicinity, in my experience. I suppose it is possible, but why would they bother?
  • my neighbours, three walls and three windows away, the contractor finishing my basement, the tvisions in the sportsbar. I'm not a hobbit on a mountain-top, I interact with people most of most days, and often never again.

  • by afidel ( 530433 ) on Thursday May 04, 2017 @10:49AM (#54354773)

    The app permission system makes this a minor issue on Android 6+, just deny any app mic permission if it doesn't have a legitimate need to access the mic. I do wish Android app permissions were more granular at the UI layer like they are in the API (and like they were on Blackberries) but I realize that if you swamp the average user with too much information they'll just run away and not use the features, perhaps give granular control if you've enabled developer mode?

    • Enabling Mic access is one thing - enabling it on a background task is something else entirely - there's still not enough granularity.

  • My phone was so slow and the battery went dead so fast, I just did a factory reset on my phone a week ago. It's faster than ever. It's hard to tell which app was at fault, but something was sucking down some serious resources. I'm only reinstalling the necessary apps, and so far I've avoided any "shopping" or food rewards app.

    Google should really shut down background apps and make them more transparent when they do exist.

  • This sounds like a lot of effort to get me to buy Charmin rather than store brand... how do they have enough money to crunch that sort of data set into something they can sell to businesses at a profit? If this was regular govt espionage of some kind it might make more sense.
  • Why isn't this fucking ILLEGAL?
  • Unless I'm listening to music, I have the volume on my phone for media turned off. (I love "watching ads to get free stuff" in games. Launch ad, put the phone down, come back after 20-30 seconds of silence, and claim my free stuff.) If I'm right, would this prevent these ads from broadcasting?

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...