Researchers have found 234 Android applications that are constantly listening for ultrasonic beacons in the background, allowing companies to track users’ current location or their habits – without the users’ knowledge.

They also found four stores in two European cities that use the technology for user location tracking, but still no use of ultrasonic beacons on TV channels and Top 500 Alexa websites.

What is ultrasonic tracking, and how widespread is it?

Ultrasonic audio beacons can be embedded into television or web advertisements, and picked up by mobile apps that contain a receiver.

The researchers analyzed millions of Android applications submitted to the VirusTotal service, and found only a few that used the Shopkick and Lisnr ultrasonic audio technology. On the other hand, there were many more that use the SilverPush SDK, which can allow developers to track users across multiple devices.

Previous research, dating back to April 2015, revealed that SilverPush’s software was used by 6-7 apps, allowing the company to monitor 18 million smartphones, but that number is constantly growing.

“The applications reach a high coverage among people and are not only downloaded a few hundred times. Even if the audio beacons are not embedded in actual TV commercials, our findings indicate that SilverPush has launched its deployment on the receiver side,” the researchers noted.

This might become a serious privacy threat in the near future, allowing media, location, and cross-device tracking, as well as website user deanonymization (e.g. a malicious web service can disclose the relation between a Bitcoin address and a user’s real-world identity, or reveal the identity of users who browse the Internet through anonymity networks such as Tor).

“The case of SilverPush emphasizes that the step between spying and legitimately tracking is rather small,” the researchers noted.

“SilverPush and Lisnr share essential similarities in their communication protocol and signal processing. While the user is aware about Lisnr’s location tracking, SilverPush does not reveal the application names with the tracking functionality.”

How can users protect themselves?

With the deployment of ultrasonic tracking increasing in the wild, and still no indication that regulators will push for effective protections, it will be down to the users to protect themselves from this new encroachment on their privacy.

It’s actually easy: both Android and iOS users can make it so that an app isn’t allowed to use the device’s microphone.

While that permission is necessary for some apps to work as intended (e.g. videoconferencing or VoIP apps), there are plenty of apps out there that should not even ask for it – and yet they do.

The researchers have noted a couple of countermeasures that could be introduced in the Android platform to prevent surreptitious tracking via ultrasonic beacons: detection (and flagging) of implementations, and improved notification.

“A more fine-grained control of the audio recording is likely the best strategy for limiting the impact of ultrasonic side channels. A combination of user notifications and a status in the pull down menu can inform the user when a recording takes place and lets her detect unwanted activities,” they explained.