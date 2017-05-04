Over 200 Android Apps Are Currently Using Ultrasonic Beacons To Track Users (bleepingcomputer.com) 44
Catalin Cimpanu, writing for BleepingComputer: A team of researchers from the Brunswick Technical University in Germany has discovered an alarming number of Android apps (234, to be exact) that employ ultrasonic tracking beacons to track users and their nearby environment. Their research paper focused on the technology of ultrasound cross-device tracking (uXDT) that became very popular in the last three years. uXDT is the practice of advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y" and links their two previous advertising profiles together, creating a broader picture of the user's interests, device portfolio, home, and even family members.
Or pets suddenly attacking their masters when they turn their TV on, when they use their phone, etc.
Oy, how to block this? (Score:3)
I already have a firewall and Hosts file on my phone to inhibit stuff talking to the world that I don't choose, but certain things I want to have 'net data access...
Obviously Android permissions are only so fine-grained and more and more users (particularly of younger generations) accept any of them.
A piece of tape over a webcam is one thing, but to disable a mic, not so easy to open things up nowadays to cut a wire!
Just open up your phone and unplug the microphone. No-one uses those things to make calls any more anyway.
I remember a few years back someone modded a flip phone with a magnetic switch so that when it was closed the mic was physically disabled. This was around the time that details of MI5/NSA malware that could turn the mic on were coming out. If someone made a phone with a physical slider that disabled the mic and camera, or even just a magnetic switch and a flip open cover with a magnet in it, I'd buy tha
See OnePlus 3(t) slider, which is three position for alerts, but similar to what you are asking for. As in "Doable".
What I would like is a programmable slider, one that I could make it disable mic or camera.
1a) Hardware switches need to come back into fashion. CUT THE WIRES. Since physical switches have an irritating habit of failing, they need to be easily replaceable, so they need to plug in and touch contact points, not be soldered in.
1b) These switches should exist for power and every corruptible/interceptable I/O path. If a light sensor senses, an LED blinks, a mic listens, or tone is generated, there should be a physical, circuit-interrupting switch to kill the related hardware. If there isn't, your
'yes', 'no', and 'fake it'.
This is pure evil genius.
I would love a software filter to take that high pitched bad mic whine out of old tv shows but I've never found one.
It doesn't bother most people because most people can't hear it such as why they didn't fix the mic at the time.
I use Virtual Dub and some scripting to fix that.
Captain Obvious here... (Score:1)
But is there a list of these know apps?
Which Apps??? (Score:4, Informative)
Why do we all passively accept this? (Score:1)
If our grandparents found out that their tv, radio or newspaper were actively spying on them as a standard business practice heads would roll, why do we take it so willingly?
Sorry to say, but the old-folks, no matter how many generations back you go were just as lazy and indifferent about this stuff as we are now.
Now it's terrorists, then it was Communists, Nazis, the British, the Romans, you name it, everyone was willing to gloss over an awful lot.
It's more sinister than that (Score:5, Interesting)
>When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y"
Imagine you're on your phone and browsing the web. You load one of those ads, and your phone now broadcasts your advertiser-assigned unique ID via ultrasound. OK. Who says it has to be another device YOU own that picks it up?
How difficult would it be to drop listening devices in high traffic areas that listen for those tones, sending location information back to whoever? And that's just to augment other devices that might be infected with a listen-and-report app.
This isn't an advertising tool, it's a ubiquitous surveillance tool for three-letter-agencies that advertisers have discovered. That is, of course, assuming it actually works outside a lab and isn't just an untested fantasy the ad types latched onto.
Anyway, IF phones can both transmit and detect ultrasonic tones (which I question), it's only a matter of time until someone produces a 'secure' phone that has physical filters in line with the speaker and mic wires to filter out anything outside the range of human hearing.
New app needed. (Score:2)
Alternatively an app that can detect this.
>Wanted: an app that broadcasts ALL these signals, making them think you've got every product already, so they won't waste their time trying to sell you anything.
Since to be useful the sound must be unique to the user (in order to be matched to you by the receiving device), you'd need to know their algorithm for generating the sounds. It's probably a hash of some unique device ID available to applications, and not terribly difficult to figure out, but it's not as simple as 'broadcast it all!'
>Or just
Who cares? And you've eliminated the Chinese, Russians, Israelis, and basically every competent intelligence agency in the world in your quest for assigning partisan blame domestically.
Rearch paper for this. (Score:4, Informative)
Cited research paper:
http://christian.wressnegger.i... [wressnegger.info]
Found via the reddit thread on the same topic, It names a few of the apps, primarily using the SilverPush library.
If they are actually using ultrasonic audio frequencies it won't work with analog FM stereo transmissions. The stereo pilot is 19 KHz so the audio output of the receiver cuts off above 18 KHz. On AM radio transmissions the audio bandwidth is restricted to around 5 KHz. For digital transmissions (TV, HD FM, etc) I suspect the audio is also bandwidth limited.
FTFA noted by mystik above, they are use modulated 18-20K tones. It appears that the phone mics, software and transmission lines can handle these frequencies well enough to encode a small amount of information.
A pulse beacon, if you will.
For real? (Score:2)
This sounds just a hair too far 'out there' , still that is ugly.
The assumption ( other devices are owned by you) would be false under many circumstances so this tech, if it actually exists would be near to useless for that purpose. There are devices owned by other people in your home, your office , and the coffee shop you go to regularly. Of coarse you might be able to make smart assumptions about a lot of this but the articles 'other devices in your home' is obviously not a simple use case for such a th
I call bullshit (Score:2)
Yep, it occurred to a number of people. That's why they're using 18K or so as the frequency. Remember, there isn't a hard wall cutoff here, just a drop in response. If all you're trying to do is send a couple of bytes of information, you can be slow and sloppy.
the apps/developers (Score:2)
According to the article, offending apps seem to be mostly from India and the Philippines. They list 5 "representative apps" with developers:
Application Name Developer Version Downloads
100000+ SMS Messages Moziberg 2.4 1,000,000 – 5,000,000
McDo Philippines Golden Arches Dev. Corp. 1.4.27 100,000 – 500,000
Krispy Kreme Philippines Mobext 1.9 100,000 – 500,000
Pinoy Henyo Jayson Tamayo 4.0 1,000,000 – 5,000,000
Civil Service Reviewer Free Jayson Tamayo 1.1 50,000 – 100,000
