Posted by msmash from the privacy-woes dept.
Catalin Cimpanu, writing for BleepingComputer: A team of researchers from the Brunswick Technical University in Germany has discovered an alarming number of Android apps (234, to be exact) that employ ultrasonic tracking beacons to track users and their nearby environment. Their research paper focused on the technology of ultrasound cross-device tracking (uXDT) that became very popular in the last three years. uXDT is the practice of advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y" and links their two previous advertising profiles together, creating a broader picture of the user's interests, device portfolio, home, and even family members.

  • Oy, how to block this? (Score:3)

    by RJFerret ( 1279530 ) on Thursday May 04, 2017 @10:48AM (#54354327) Homepage

    I already have a firewall and Hosts file on my phone to inhibit stuff talking to the world that I don't choose, but certain things I want to have 'net data access...

    Obviously Android permissions are only so fine-grained and more and more users (particularly of younger generations) accept any of them.

    A piece of tape over a webcam is one thing, but to disable a mic, not so easy to open things up nowadays to cut a wire!

    • Re:Oy, how to block this? (Score:4, Interesting)

      by AmiMoJo ( 196126 ) <<mojo> <at> <world3.net>> on Thursday May 04, 2017 @10:54AM (#54354367) Homepage Journal

      Just open up your phone and unplug the microphone. No-one uses those things to make calls any more anyway.

      I remember a few years back someone modded a flip phone with a magnetic switch so that when it was closed the mic was physically disabled. This was around the time that details of MI5/NSA malware that could turn the mic on were coming out. If someone made a phone with a physical slider that disabled the mic and camera, or even just a magnetic switch and a flip open cover with a magnet in it, I'd buy that.

      Also, phone mics should have a hardware low pass filter that cuts off stuff above the human hearing range. In fact I'm surprised that they don't... Android could block it with a bit of software filtering too, or just deny the app permission to use the microphone.

      • Re:Oy, how to block this? (Score:5, Interesting)

        by Baron_Yam ( 643147 ) on Thursday May 04, 2017 @11:14AM (#54354499)

        1a) Hardware switches need to come back into fashion. CUT THE WIRES. Since physical switches have an irritating habit of failing, they need to be easily replaceable, so they need to plug in and touch contact points, not be soldered in.

        1b) These switches should exist for power and every corruptible/interceptable I/O path. If a light sensor senses, an LED blinks, a mic listens, or tone is generated, there should be a physical, circuit-interrupting switch to kill the related hardware. If there isn't, your device isn't as secure as it could be.

        2) The OS should fake permissions for apps, since so many refuse to run without access they don't actually require. Instead of 'yes/no' when access is requested, we need the options 'yes', 'no', and 'fake it'. Anybody who demands location, camera, mic, contact, and file access to run their app that needs none of that should not be respected enough that you have to go with 'just do not install'. They're immoral, you be immoral right back.

      • Re: (Score:2)

        by sims 2 ( 994794 )

        I would love a software filter to take that high pitched bad mic whine out of old tv shows but I've never found one.
        It doesn't bother most people because most people can't hear it such as why they didn't fix the mic at the time.

  • Captain Obvious here... (Score:1)

    by Anonymous Coward

    But is there a list of these know apps?

  • Which Apps??? (Score:5, Insightful)

    by Rob Riggs ( 6418 ) on Thursday May 04, 2017 @10:49AM (#54354333) Homepage Journal
    Completely useless, alarmist, unactionable article. Name names, dammit.

    • If I understand it correctly: any app that shows ads is a potential beacon. Not just the 200 or so that record the sounds, it's the ads that emit the sounds. As long as you use an app with ads (like most apps have), and are near someone with one such listening apps on their device, you may be tracked ultrasonically.

  • Why do we all passively accept this? (Score:1)

    by Anonymous Coward

    If our grandparents found out that their tv, radio or newspaper were actively spying on them as a standard business practice heads would roll, why do we take it so willingly?

    • Sorry to say, but the old-folks, no matter how many generations back you go were just as lazy and indifferent about this stuff as we are now.

      Now it's terrorists, then it was Communists, Nazis, the British, the Romans, you name it, everyone was willing to gloss over an awful lot.

      • Sorry to say, but the old-folks, no matter how many generations back you go were just as lazy and indifferent about this stuff as we are now.

        This is correct; it is once you stop being willing to take it up the ass from everyone who expects you to do so that you become one of the "old folks" yourself. I've been one for over a decade now and I'm only 35.

  • It's more sinister than that (Score:5, Interesting)

    by Baron_Yam ( 643147 ) on Thursday May 04, 2017 @10:51AM (#54354347)

    >When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y"

    Imagine you're on your phone and browsing the web. You load one of those ads, and your phone now broadcasts your advertiser-assigned unique ID via ultrasound. OK. Who says it has to be another device YOU own that picks it up?

    How difficult would it be to drop listening devices in high traffic areas that listen for those tones, sending location information back to whoever? And that's just to augment other devices that might be infected with a listen-and-report app.

    This isn't an advertising tool, it's a ubiquitous surveillance tool for three-letter-agencies that advertisers have discovered. That is, of course, assuming it actually works outside a lab and isn't just an untested fantasy the ad types latched onto.

    Anyway, IF phones can both transmit and detect ultrasonic tones (which I question), it's only a matter of time until someone produces a 'secure' phone that has physical filters in line with the speaker and mic wires to filter out anything outside the range of human hearing.

    • New app needed. (Score:4, Interesting)

      by BarbaraHudson ( 3785311 ) <barbarahudson@@@gmail...com> on Thursday May 04, 2017 @10:54AM (#54354363) Journal
      Wanted: an app that broadcasts ALL these signals, making them think you've got every product already, so they won't waste their time trying to sell you anything. Or just pollute their data to the point it's useless.

      • Re: (Score:2)

        by Z00L00K ( 682162 )

        Alternatively an app that can detect this.

      • Re:New app needed. (Score:4, Interesting)

        by Baron_Yam ( 643147 ) on Thursday May 04, 2017 @11:05AM (#54354453)

        >Wanted: an app that broadcasts ALL these signals, making them think you've got every product already, so they won't waste their time trying to sell you anything.

        Since to be useful the sound must be unique to the user (in order to be matched to you by the receiving device), you'd need to know their algorithm for generating the sounds. It's probably a hash of some unique device ID available to applications, and not terribly difficult to figure out, but it's not as simple as 'broadcast it all!'

        >Or just pollute their data to the point it's useless

        An ultrasonic static generator would be more practical. Drown out any signals you haven't noticed and silenced with noise. You might piss off your dog, though.

        • The article says that each device generates a unique ID. Random IDs should work, since they won't know ahead of time what ID a particular device will generate.
          • if they are flooded with noise making them useless then unique IDs will be unreachable to their tools still making their clever hack useless, if turning off the microphone is not easy or not possible just bury their spyware in noise
      • that is a good idea, flood them with so much noise that they become useless, if you cant turn it off, turn it on and up so much that they are buried over their heads in the noise they were looking for
    • Imagine if an ad played on the TVs in a place like Best Buy. This is starting to behave like a virus.

      • Re: (Score:1)

        by Anonymous Coward

        "Hey there, Jim. Looks like you're in the market for a new TV. This Samsung 65" 4K model would look perfect from any point in your 10' by 20' living room. If you're not sure, just go ask Bob next door. He bought one last week and the whole family has been enjoying its crystal clear display. You can even control it from your iPhone 6 Plus, but the experience is much better with a new Samsung phone. Have you considered upgrading that? Don't worry, your MacBook Air will still connect to any new Samsung phone o

    • Re: (Score:2)

      by wbr1 ( 2538558 )
      This. My phone goes lots of places. It has my location data. So, if an app has access to location data, it is far easier to link based off of that and ip data. Presumable when my phone is at a residential address, and my IP on the phone is the same as the one on other devices (tv, PC, etc) that can create a linkage. However ultrasound? What if I am at a friends an it picks up his/her TV, or anywhere else? What if it is an ad on a TV in a bar? I think the SNR here too high to be useful for advertiser

    • >When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y"

      Imagine you're on your phone and browsing the web. You load one of those ads, and your phone now broadcasts your advertiser-assigned unique ID via ultrasound. OK. Who says it has to be another device YOU own that picks it up?

      How difficult would it be to drop listening devices in high traffic areas that listen for those tones, sending location information back to whoever? And that's just to augment other devices that might be infected with a listen-and-report app.

      This isn't an advertising tool, it's a ubiquitous surveillance tool for three-letter-agencies that advertisers have discovered. That is, of course, assuming it actually works outside a lab and isn't just an untested fantasy the ad types latched onto.

      Anyway, IF phones can both transmit and detect ultrasonic tones (which I question), it's only a matter of time until someone produces a 'secure' phone that has physical filters in line with the speaker and mic wires to filter out anything outside the range of human hearing.

      Your phone definitely already does this if you visit the right websites. I have seen several big name URLs play ads (don't ask me the URLs cause I forget them, but they're mostly news related) that cause the music I am listening to to pause and for some embedded audioclip to play in that website. Drives me freaking nuts!

  • Rearch paper for this. (Score:5, Informative)

    by mystik ( 38627 ) on Thursday May 04, 2017 @10:55AM (#54354379) Homepage Journal

    Cited research paper:

    http://christian.wressnegger.i... [wressnegger.info]

    Found via the reddit thread on the same topic, It names a few of the apps, primarily using the SilverPush library.

  • This sounds just a hair too far 'out there' , still that is ugly.

    The assumption ( other devices are owned by you) would be false under many circumstances so this tech, if it actually exists would be near to useless for that purpose. There are devices owned by other people in your home, your office , and the coffee shop you go to regularly. Of coarse you might be able to make smart assumptions about a lot of this but the articles 'other devices in your home' is obviously not a simple use case for such a th

  • Did anybody stop to consider the fact that speakers and microphones by-and-large are not capable of ultrasound frequencies? Tiny speakers like the ones in a smartphone are going to hit 18khz at BEST. It's probably closer to 15khz in reality. Even high-end studio monitors only reach 20-22khz. It takes specially designed transducers to operate in the ultrasound range. This story is complete bullshit.

    • Re:I call bullshit (Score:4, Informative)

      by ColdWetDog ( 752185 ) on Thursday May 04, 2017 @11:18AM (#54354529) Homepage

      Yep, it occurred to a number of people. That's why they're using 18K or so as the frequency. Remember, there isn't a hard wall cutoff here, just a drop in response. If all you're trying to do is send a couple of bytes of information, you can be slow and sloppy.

    • Re:I call ignorant poster (Score:2, Interesting)

      by Anonymous Coward

      Simply because the cutoff frequency is at 18Khz doesn't mean that a transducer completely stops working at that frequency. The cutoff frequency is the frequency where the response drops 3db below the more-or-less flat lower frequency response, depending on both the mechanics of the transducer and on any added electronic filtering. There will be detectable response far beyond the 15- or 18-khz cutoff frequency, both on the output and input sides of a transducer. And it's not as though the perfect fidelity

  • the apps/developers (Score:4, Informative)

    by nomadic ( 141991 ) <nomadicworld @ g m a i l . com> on Thursday May 04, 2017 @11:19AM (#54354535) Homepage

    According to the article, offending apps seem to be mostly from India and the Philippines. They list 5 "representative apps" with developers:

    Application Name Developer Version Downloads
    100000+ SMS Messages Moziberg 2.4 1,000,000 – 5,000,000
    McDo Philippines Golden Arches Dev. Corp. 1.4.27 100,000 – 500,000
    Krispy Kreme Philippines Mobext 1.9 100,000 – 500,000
    Pinoy Henyo Jayson Tamayo 4.0 1,000,000 – 5,000,000
    Civil Service Reviewer Free Jayson Tamayo 1.1 50,000 – 100,000
    TABLE 2: Third-party applications with SilverPush functionality

    • And eventually the MPAA. "We detected you watching a pirated movie near your phone. Pay us $3000 or...."

    • Re: (Score:1)

      by Anonymous Coward

      Xaxis, who is owned by WPP (one of the largest marketing agencies on the planet) has been selling this service for a few years: https://www.xaxis.com/products/view/xaxis-sync

  • iPhone also? (Score:3)

    by Highdude702 ( 4456913 ) on Thursday May 04, 2017 @11:28AM (#54354623)

    I'm pretty sure Pandora does this on iPhone also. Last week I was on an artists site and listening to pandora on my phone. All of a sudden a song by that artist was played on a channel that was completely unrelated to that type of music. Kind of odd I thought, as I've had this happen before simply by talking to a friend about a song, and the very next song is the one we had talked about. Or maybe I'm just crazy.

  • my neighbours, three walls and three windows away, the contractor finishing my basement, the tvisions in the sportsbar. I'm not a hobbit on a mountain-top, I interact with people most of most days, and often never again.

  • Not such a big issue on Android 6+ (Score:3)

    by afidel ( 530433 ) on Thursday May 04, 2017 @11:49AM (#54354773)

    The app permission system makes this a minor issue on Android 6+, just deny any app mic permission if it doesn't have a legitimate need to access the mic. I do wish Android app permissions were more granular at the UI layer like they are in the API (and like they were on Blackberries) but I realize that if you swamp the average user with too much information they'll just run away and not use the features, perhaps give granular control if you've enabled developer mode?

    • Enabling Mic access is one thing - enabling it on a background task is something else entirely - there's still not enough granularity.

  • My phone was so slow and the battery went dead so fast, I just did a factory reset on my phone a week ago. It's faster than ever. It's hard to tell which app was at fault, but something was sucking down some serious resources. I'm only reinstalling the necessary apps, and so far I've avoided any "shopping" or food rewards app.

    Google should really shut down background apps and make them more transparent when they do exist.

  • This sounds like a lot of effort to get me to buy Charmin rather than store brand... how do they have enough money to crunch that sort of data set into something they can sell to businesses at a profit? If this was regular govt espionage of some kind it might make more sense.

  • Either the microphone and speaker hardware/firmware should filter out sub- and ultrasonic sounds, or the operating system or pre-OS-firmware should do it so it's impossible for any user application to get to this data (absent some bug to exploit, of course).

  • Why isn't this fucking ILLEGAL?

  • I think Facebook does it too (Score:1)

    by Anonymous Coward
    Tinfoil hat time, but based on real anecdotal experience.

    For the past few months, my laptop speakers have been emitting a quick data "chirp" very sporadically. It's modulated frequencies above 10k, a duration of 0.5 to 0.75 seconds, and it happens on a very irregular basis.

    I run a very clean install of Windows 7 Ultimate, and use Firefox with Noscript. I get almost no ads, and have never been hit by a virus or malware (though I get unsuccessful phishing emails often). After hearing the data chirp 10 or 2

