A team of researchers from the Brunswick Technical University in Germany has discovered an alarming number of Android applications that employ ultrasonic tracking beacons to track users and their nearby environment.
Their research paper focused on the technology of ultrasound cross-device tracking (uXDT) that became very popular in the last three years.
uXDT is the practice of advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones.
SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y" and links their two previous advertising profiles together, creating a broader picture of the user's interests, device portfolio, home, and even family members.
SDKs created by Shopkick, Lisnr, or SilverPush provide most of today's support for embedding ultrasonic beacons inside web and classic media streams.
In research sponsored by the German government, a team of researchers conducted extensive tests across the EU to better understand how widespread this practice is in the real world.
Their results revealed Shopkick ultrasonic beacons at 4 of 35 stores in two European cities. The situation isn't that worrisome, as users have to open an app with the Shopkick SDK for the beacon to be picked up.
In the real world, this isn't an issue, as store owners, advertisers, or product manufactures could incentivize users to open various apps as a way to get discounts.
The only good news found in this research was that after searching TV streams from seven different countries, researchers failed to discover any ultrasonic beacons, meaning uXDT is not as widespread in television ads as some might have believed.
But researchers don't feel that safe about their findings. "[E]ven if the tracking through TV content is not actively used yet, the monitoring functionality is already deployed in mobile applications and might become a serious privacy threat in the near future," researchers said.
Their worries are based on a scan of 1,3 million applications, which unearthed that 234 Android apps are already using uXDT beacons.
This number is up from previous scans. For example, a scan of the same data set in April 2015 found only 6 apps using uXDT beacons, while another scan in December 2015, found 39 apps.
The jump from 39 to 234 is staggering, to say the least, especially since some of these apps have millions of downloads and belong to reputable companies, such as McDonald’s and Krispy Kreme.
Earlier this year, researchers showcased a method of tracking and unmasking Tor users using uXDT ultrasonic beacons.
The team's research is entitled Privacy Threats through Ultrasonic Side Channels on Mobile Devices.