Blog
Business

Ultrasonic spyware - what only your dog detects

Spyware, whether distributed by criminals, advertisers or even states, is a constant nuisance. Yet, some types have the technician in me marveling. Why? Because they're innovative and intelligently designed. Recently, I came upon an approach that might interest web users, supermarket shoppers and whistleblowers alike. A single sound can betray them all (with a little bad luck).

A four-legged security solution

If you regularly read the news from the world of technology, you'll eventually develop a thicker skin. They found another security hole in Windows? That's barely enough to elicit a shrug these days. Over 230 Android apps are listening for an inaudible sound to track me? Now that's interesting. The principle behind this approach is easily explained yet hard to implement. A sound source (TV or PC speaker, speakers in a supermarket etc.) sends out a very high-frequency sound which gets picked up by the microphone in your cell phone (or laptop) and is then processed by an already installed spyware app. The app then phones home to report on your current activity, e.g. which website you're viewing, and this data stream can include anything that might be of interest like your device ID, phone number, MAC address and more.

But why wait for a signal? Simple: it's not about the listening device, but about the sender. These ultrasonic beacons help spyware authors link multiple devices together across physical boundaries, e.g. to find out what you're viewing on your PC, not just your cell phone, and to aggregate this data to form a bigger picture. Different contents will simply trigger slightly different sounds. This may sound like science fiction but the concept has already been used by Asian fast food restaurants with apps that saw millions of downloads.

Who knows what these speakers will blurt out? Who knows what these speakers will blurt out?

For all of this to work, a big infrastructure is required. First, the spyware has to be distributed either by bundling it with a big name app or by disguising it as a small useful tool. Next, the ultrasonic beacons have to be rolled out. This process is quite straightforward as sounds can easily be embedded into page ads. Once users visit the affected pages, the sounds get played and the aforementioned process triggered. It's tracking heaven for advertisers eager to personalize their ads! There are also other possibilities.

Fast food restaurants could play a sound at regular intervals through their store speakers to figure out who their regular customers are. Department stores could play different sounds for their various departments to determine how long customers are staying in each section. Once multiple businesses start to cooperate, it'll be possible to reconstruct the path each customer took as they moved through the city. I know marketers who would pay a lot of money to get this data!

Is your cell phone listening to your TV? Is your cell phone listening to your TV?

It's also feasible that this technology could be used to locate users who are using anonymization services on the web. Picture a guy that is being persecuted and heavily relies on Tor and VPN to stay hidden. The persecutors could simply create a website they know their target will be interested in and put it on the public Internet or the Darknet. Once their target visits the page, an ultrasonic sound gets played, is then picked up by the target's cellphone (and the installed spyware app) - and the hunt has just become a lot easier.

Currently, this technology is still in its infancy and there is an ongoing debate about whether this type of software is illegal and should be considered malware. If it were to be implemented as part of a shopping app, e.g. to enable discounts, it might be perfectly legal even if severe restrictions may apply. There have been no confirmed cases of it being used in television programs yet but it's doable. Once again, legislators are venturing into unknown territory and will have to come up with an adequate response. Another good reason to only install apps from trusted sources and developers and to pay more attention to your pets as living spyware detectors. "Found another one, Fido?" "Woof!"

What I would like to know: do you play close attention to what apps you're installing on your cellphone or do you blindly trust in Apple's, Google's and other distributors' abilities to reliably detect and filter out spyware?

17 comments
  • B

    Guess I'm infected as well. Almost every time after I leave a store I am asked to rate my visit to that store. Don't know which ap is causing this. Think I will factory reset my phone and start over. In other words...it's none of your business that I was in that store at all.

    I think it might be that I have my "location" turn on. Will shut it down and see what happens.

    I’m uncertain as to whether this is a type of infection. Annoyingly, it has become a trend for shops to ask for positive ratings and I’ve encountered several such cases in the past.

  • D

    The listener would likely fall asleep as I read dreadfully long reports full of statistical information.

  • E

    I have a cell phone. It was extremely cheap (£-6). It does nothing but telephone and text. I keep it in the car for emergency use, it is turned off most of the time. I know I'm tracked and others know what I do but I try to keep my profile to a minimum - I use email, but if there is something that is likely to attract attention - I write a letter. I find I get through life quite well without instant resort to portable computers. Just like I did fifty years ago. I realise that young people 'on the go' don't have that luxury. What alarms me is that they don't care about their privacy quietly melting away and it's all done to 'to serve' us but eventually it will cost us our time and our money, and one day our freedom. Our freedom, because those who want power can never resist the the temptation to control through any means possible.

  • L

    I suppose it could be possible to create an app to apply a low pass band filter below 18kHz (on the edge of normal human hearing range) to all sound inputs before being fed to any apps. That way none of the frequencies above that level would be detected by them, and normal conversational audio should not be noticeably affected.

  • s

    I don't blindly trust Google 's ability to filter out spyware, and I question the extent to which they would want to do so, as they stand to earn more money if they don't. I realized from the moment I first booted a mobile device that I was being tracked. The loss of privacy is a tradeoff for the time saved by using it rather than paper. The advertising it throws across my work, often crashing the app and causing me to have to redo the work, detracts from the time savings. Whenever it gets to the point where either the advertising is completely negating the time saving advantage or the frustration of the constant interruptions becomes intolerable, I will go back to using paper. I live in a place (Miami Beach FL) where local law enforcement has cameras surveilling every inch of public space with facial recognition software so the government is already tracking my every movement. They have microphones hidden in the trees in the park and along the street-sides to eavesdrop on any conversation in a public place. I trust less in the government 's ability or willingness not to use the information against me than I do in private sector' s, and I can't stop them from tracking me by getting rid of my smartphone.

  • H

    ongoing debate about whether this type of software is illegal and should be considered malware.

    I don't think the baddy's will worry about legality , that is a minor detail to them if gets them to laugh all the way to the bank.

  • J

    Do not like the sound of this at all. I'd call it Malware and erase it. I don't like advertisers hounding me by normal means. I would like it less if they, and other people I want to avoid, could track me by a sound.

  • D

    I thought I had Privacy....I Don't think so. I have Avast Premium Security Privacy control.....Yeah Right! I have to remember to turn it on every day before I go Online. I had to uninstall Monzilla and Google Chrome because Monzilla was in Singapore and Goggle was in Africa. I have Avast Premium and Malware Bytes and they did not block them. I'm just glad that I don't keep Private Info on my computer. I am now getting Robo-Calls on Microsoft 10 phone as well. What the F. There is no Security against Cybor Crime. Help me please. Our world is going to ?HELL.

  • J

    The worst weapon ever deployed to brainwash, indoctrinate and control the human beings who use the weapon as an electronic tool, the portable

    telephone/computer/camera, known as 'the 'mobile smart 'phone'.

  • T

    This is a worrying trend. Some browsers (Firefox on a laptop or desktop definitely) indicates on any active tab, if the sound/speaker is being used (little speaker symbol on the tab). Of course, smart-phone "apps" (very overused word for small specific functional programs) are often just "wrappers" to load data back and forth between specific websites or servers, and often use browser functionality internally. The problem is of course, that the "app" developers will NOT code the useful activity indicators, as it will give away its nefarious activity. The best way around this, is if you see ANY app that wants access to your microphone or speaker, just decline, and do NOT say accept this.

  • R

    It can be simply thwarted maybe by keeping your microphone turned off.

  • i

    I;ve never owned a cell-phone, nor do I plan to do so.

    Can You supply me with software on my computers to identify unauthorized invaders immediately, so that I can fully legally sue the identified entities responsible? Please respond at Your earliest convenience. Thank You!!!

    We’re not planning to release an antivirus solution for cellphones any time soon. :\ I’m afraid you’ll have to turn to another software supplier you trust.

  • D

    Can we say "Privacy"? I want to know if I am being tracked.

    I consider this technology to be along the lines of subliminal messaging.

    Subliminal messaging is illegal I do believe unless used for personal self-help applications i.e. stop smoking, meditation.

    It is my opinion that if I cannot hear it, then it is technical subliminal messaging.

    It is sending a subliminal message to my devices to do something without my permission.

  • G

    I don't use a smart phone and probably never will.

    I have a cell phone which is never turned on unless I need to make an emergency call, when I'm on the road - or in a parking lot.

    ??how will this impact me??

  • L

    Surely any criminal ways up the chances of them being caught but the biggest percentage take the risk as they believe they will get away with it. Many of the perpetrators do not consider themselves to be criminals and are big businesses, They are in business to make money, not friends. Their employees are paid to make money for them.

    It all comes back to that 5 letter word GREED.

  • L

    How Orwellian....1984 Big Brother is watching you.

    If your actions during the day can be tracked and an identity built out of the info, what's to stop the actual malware producers from using this to further their objectives.

    Identity theft is big money illegal business and this tech renders the device addicted (most of us these days) vulnerable - without being aware the you are being controlled by sound,,,,like the old dog whistle that only the dog can hear and be trained to respond to.

    How doyou defend against what you can't either see or hear?

  • L

    Thank you for the post.

    The uses for this technology are so invasive. It is no different to the other stalking tech. If real people were following us and logging everything we do, they would surely get charged with stalking.

    I think it is beyond the time that all this digital stalking be outlawed. If apps 'spoke' to you with messages like "I know where you live; I'm now saving and sharing your location.", people would not be so eager to use apps that track.

    And what's the reward for people who let themselves be tracked and have that data sold for profit? Lovely ads to make them spend money they might not have so the companies can make even more profit.

About Ashampoo
Users
22+ million
Downloads
500.000+ per month
World-wide
In over 160 countries
Experience
Over 25 years
Ashampoo icon