Be careful! More and more apps are silently listening to you

A device tracking technology called SilverPush has been thrust back into the limelight, following several years of concerns, after a team of researchers found that, even though most users are unaware of its presence on their smartphones, its use is on the increase. What does SilverPush do? It uses the microphone on your smartphone to listen for special ultrasonic signals embedded in audio content, or sent by beacons, to anonymously track location, habits, and media use.

Why do this? It’s an excellent way of determining if you pay attention to advertising, and in conjunction with other data, it’s a way to tailor new ads that will appeal to you. If your smartphone has an always-listening mode, such as that used for Siri, Google Assistant, or other virtual assistant programs, then SilverPush can also hear the ultrasonic audio markers sent out to it.

These markers may come from in-store beacons, your television, or any audio system. Potentially, it could reveal if you stopped to look at the new promotional items in a store, if an ad on TV made you look away from your phone, or if you picked up your phone to visit a website after seeing an ad. Think of it as the audio equivalent of a browser cookie.  Its presence “emphasizes the step between spying and legitimately tracking is rather small,” say the researchers.

Apps with millions of downloads

The team looked for apps with SilverPush’s code inside, along with code from other companies offering similar services such as Lisnr and Shopkick. It discovered SilverPush technology inside 234 Android applications, all of which can listen for ultrasonic audio clips embedded in audio from a television, and do so without your knowledge. Rather than only being found in shady apps few people will download, several apps apparently have millions of downloads, and include those produced by McDonald’s and Krispy Kreme.

We contacted both for comment. McDonald’s U.S. and McDonald’s U.K. representatives each responded that the technology isn’t in use by their company. Krispy Kreme U.S. has yet to respond, but the company’s U.K. office replied with the following statement:

“We do not use any technology in the U.K. that would enable us to access the microphone of a smartphone or any other device.”

Why the renewed interest in the tech? It’s because SilverPush’s use in apps is on the increase, as only six apps were found with SilverPush technology in 2015, compared to the more than 230 now discovered. However, while the potential for SilverPush and related technology to be used for covert tracking is there, and it’s gradually appearing more in our apps, it’s not being exploited at the moment.

The research team didn’t find any television content with the ultrasonic audio embedded inside, for example. The team also noted the hardware on many phones may not be up to the task of hearing these ultrasonic clips, and that the Android operating system will warn you if an app requires specific permissions to access audio, allowing you to deny the request at installation. Plus, as McDonald’s and Krispy Kreme’s response indicates, the software may not be used in apps available in all territories.

It appears that while ultrasonic tracking technology is being investigated, its full potential to become a legitimate privacy concern hasn’t been realized. Drawing attention to it may help prevent the technology from becoming a wide concern; but because we’ve been hearing (if you’ll forgive the pun) about SilverPush since 2015, and had several warnings about it in 2016, it appears the message hasn’t quite gotten through yet.

Article published 05-09-2017. Updated on 05-09-2017 by Andy Boxall: Added in comment from McDonald’s and Krispy Kreme.