Researchers believe some popular smartphones may be listening a little too closely to your activities.
A team from the German Technical University of Braunschweig (Brunswick) found 234 Android applications that contain code, known as SilverPush, that listens for ultrasonic signals embedded in media or emitted by beacons. Though primarily intended to track users’ media consumption and shopping habits to help target advertising, the research team says the apps could also potentially be used to establish users’ identities across multiple devices, track location, and even de-anonymize services like Bitcoin and Tor.
The most widely-downloaded of the detected apps do not notify users of these capabilities.
“Device tracking is a serious threat to the privacy of users, as it enables spying on their habits and activities,” the researchers wrote. “A recent practice embeds ultrasonic beacons in audio and tracks them using the microphone of mobile devices. This side channel allows an adversary to identify a user’s current location, spy on her TV viewing habits or link together her different mobile devices.”
They added: “Our findings confirm our privacy concerns: We spot ultrasonic beacons in various web media content and detect signals in 4 of 35 stores in two European cities that are used for location tracking. While we do not find ultrasonic beacons in TV streams from 7 countries, we spot 234 Android applications that are constantly listening for ultrasonic beacons in the background without the user’s knowledge.”
Researchers identified apps by comparing known SilverPush code to a database of 1.3 million apps. The apps found to contain SilverPush code include those from McDonald’s and Krispy Kreme in the Philippines, each installed by around 500,000 Android users. The other apps were predominantly targeted at users in India and the Philippines, and some had as many as 5 million downloads. Researchers found that the use of SilverPush had proliferated over time, from 39 apps found in December of 2015 to 234 in January of this year.
Get Data Sheet, Fortune’s technology newsletter.
The researchers also detected ultrasonic beacons in four of 35 retail stores they visited in Europe, though they failed to find signals in media after reviewing 140 hours of television and audio. They presented their findings at an IEEE conference in late April, so the research has not yet received full academic peer review.
Speaking to Ars Technica, SilverPush creator Hitesh Chawla disputed the report’s findings. SilverPush claims to have turned away from the ad-tracking business after the Federal Trade Commission in 2016 issued warnings about the practice to 12 app developers.
The researchers found no unusual implementations of listening code from Shopkick and Lisnr, which use similar technology but are more transparent about their apps’ capabilities. They did not analyze iPhone apps, meaning there’s no guarantee SilverPush isn’t lurking throughout Apple’s ecosystem as well.
