Smartphone apps have been silently spying on users, according to a recent study conducted at Technische Universitat Braunschweig in Germany.

Researchers discovered 234 Android applications that were constantly listening for ultrasonic beacons without the user's knowledge.

Image: iStock/kizilkayaphotos

They found these tracking beacons in four of the 35 stores they visited in two European cities. The beacons could also allow companies to pick up inaudible signals from televisions to establish what viewers are watching. This can then be used to create targeted advertising based on their interests and location.

They can enable people or companies to track the user's movements at locations where the signal is embedded, and to learn which other devices they possess by eavesdropping on their signals. 

They could also de-anonymise Bitcoin users by revealing the relationship between their Bitcoin address and real-world identity, through the ultrasonic signal transmitted whenever a payment is made.

Research findings

The research team began their investigations after reports that an ad tech company called SilverPush was using smartphone microphones to detect the inaudible sounds that play when someone watches an advertisement produced by one of its clients. The feature was being used by companies including consumer goods giant Procter & Gamble.

"They wanted to find out what the user is watching on TV so they embedded a short ultrasound signal that consisted of five different frequencies," Erwin Quiring, one of the research paper’s principal authors, told Techworld.

"By doing so the device was listening in the background, so they could find out what commercials a mobile device user was watching just by finding these beacons on TV commercials." 

The researchers analysed more than 1.3 million Android applications. They detected the beacons by scanning large quantities of apps for the relevant frequencies.

Although they only discovered 234 applications using the ultrasonic beacons, the download numbers were sizable. Two of them had been downloaded between 1 million to 5 million times.

Read next: Best secure mobile messaging apps

SilverPush provided this ultrasonic functionality as a software development kit, so companies such as McDonald's and Krispy Kreme could embed the technology in their apps.

Other apps discovered by the researchers were using the software for entirely legitimate purposes.

Lisnr decodes the signals to show the user location-specific content that could include welcome messages at a festival.

A company called Shopkick deployed it to offer users rewards when they entered a shop that works with the company. Listening to an audio beacon emitted by loudspeakers at the entrance allowed the app to determine whether a user entered the store with far greater precision than GPS tracking can achieve.

"These apps are recruiting the high frequency that you can't hear, and if they detect, for example, an ultrasonic beacon, they can find out that you are in a certain shop," says Quiring. 

Growing smartphone surveillance

Concerns over the use of smartphones to monitor citizens have grown in recent months after a string of stories exposed the extent of government surveillance on both sides of the Atlantic.

In March, Wikileaks released a series of confidential CIA documents that disclosed the intelligence agency had developed malware and hacking tools that can infect and control iPhones and Android devices.

The attacks allow the CIA to access the user’s geolocation and communications and activate the phone’s camera and microphone.


Two months later, documents were leaked showing that the UK government wants all telecommunications companies to provide it with real-time access to the communications of named individuals within one working day.

Read next: Ex-CIA CTO: don't believe everything you hear about hacking

Coverage of government surveillance has largely overshadowed that of the private sector, where methods of tracking through mobile phones is becoming commonplace. Spending on location-based mobile marketing reached $12.4 billion in the US in 2016, and is projected to grow to $32.4 billion by 2021, according to a report by research consultancy BIA/Kelsey.

British companies are also investing heavily in mobile tracking. The Daily Telegraph revealed in December that high street shops including Marks & Spencer and Topshop were tracking customers through pings emitted when they search for Wi-Fi networks.

The ultrasonic beacons support even more clandestine monitoring. Google banned the offending apps for violating its privacy policy when the study team reported their findings, but would struggle to monitor and detect what each individual app was doing.

Detection methods

Google can check whether an app is using a phone's microphone, which a company must specify in its privacy policy. The precise intent is far more difficult to identify. Many apps use the microphone for open and legitimate purposes. Shazam, for example, uses it to identify music playing.  

The company can check whether an app is using a phone’s microphone, which a company must specify in its privacy policy, but its precise intent is more difficult to identify. Many apps use the microphone for open and legitimate purposes. Shazam, for example, uses it to identify music.  

The researchers only analysed the open deployment of ultrasonic technology by private companies, but it could also be embedded in malware by government agencies and cyber criminals.

Read next: Is it possible to hack a plane?

"You cannot do anything against the sender, but what you can do is on the receiver side," says Quiring.

"If there is no receiver, there is no threat. One thing each user should do is to check for the permissions of the Android applications. The app has to declare that it's using the microphone."

An Austrian company called SoniControl may have found a better solution. The project team is developing what it calls "the first ultrasonic firewall". The prototype mobile application detects ultrasonic activity, notifies the user and blocks the transmission on demand.

Until such a product is released, consumers are limited in the defence they can take - but basic vigilance could help.

"You cannot do anything against the sender, but what you can do is on the receiver side," says Quiring.

"If there is no receiver, there is no threat. One thing each user should do is to check for the permissions of the Android applications. The app has to declare that it's using the microphone."

Find your next job with techworld jobs