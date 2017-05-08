Ultrasonic spy tech in Android apps could be used to de-anonymise bitcoin and Tor users

GET READY TO THROW your Android smartphone in the bin as new research has revealed that millions of devices are ultrasonic audio signals to covertly track users.

You have the Technical University of Brunswick, Germany, to thank for the research, which has revealed that more than 200 apps in the Google Play store are using 'beacons', ultrasonic audio signals inaudible to humans, inside adverts in order to identify and track users.

The audio tracking technology is provided by a New Delhi startup called Silverpush, is most likely being used to snoop on what kind of adverts smartphone users are watching and engaging with.

An adversary can monitor a user's local TV viewing habits, track their visited locations and deduce their other devices," said the researchers. "They can gain a detailed, comprehensive user profile with a regular mobile application and the device's microphone."

However, the beacons could also be used to de-anonymise Bitcoin and Tor users.

"The side channel through ultrasonic codes makes the de-pseudonymisation of Bitcoin and de-anonymisation of Tor users possible. As an example, a malicious web service can disclose the relation between a Bitcoin address and a user's real-world identity," the research warns.

Perhaps the most worrying thing about the technology is that it isn't just found inside dodgy-looking apps, as apps produced by McDonald's and Krispy Kreme were found to contain the Silverpush code, and had been downloaded between 100,000 and 500,000 times each.

The researchers said that a sample of just five of the 234 apps had been downloaded up to 11 million times.

Silverpush has thrown some water on the situation though, and has denied that its technology was still being used. It stopped supporting the software in 2015 following a privacy outcry.

"We respect customer privacy and would not want to build our business foundation where privacy was questionable," Hitesh Chawla, founder of Silverpush, told Ars Technica. "Even when we were live, our software was not present in more than 10 to 12 apps. So there is no chance that our presence in 234 apps is possible.

"Every time a new handset gets activated with our software, we get a ping on our server. We have not received any activation for six months now." µ