I discovered dozens of Android applications that spy on user activities by activating the recording of the audio stream from the Microphone of the mobile device. It seems to be the “new trend of the moment”: dozens of Android apps published on the Google Play Store are “enriched” with an excessive component designed to listen and recognize known audio clips through the smartphone’s Microphone.
According to recent research on the software published in the Google online store, more than 250 applications integrate Alphonso ACR, a technology developed by the Indian-American company of the same name, which takes care of acquiring the audio signal from the Microphone of the mobile device.
According to Alphonso, the ACR technology would not record the human voice or private dialogues but would have been developed to understand, for example, which television programs the user usually watches. Furthermore, the audio samples collected by Alphonso ACR remain stored on the user’s smartphone and are never transmitted to the company’s servers or third parties. The user’s Android device only leaves the hash of each registration, a unique fingerprint.
The approach used is the same one used for some time by Shazam for the automatic recognition of music tracks ( Apple buys Shazam for 400 million dollars ): among other things, as confirmed by the company’s CEO, Alphonso, has an agreement right with Shazam. Despite Alphonso’s reassurances, what has emerged in these hours demonstrates what can be done with a smartphone and how it can easily be transformed into a “spy device.”
Also, the Android apps that use Alphonso ACR analyze the incoming audio even with the display off. Alphonso collects information through the Microphone for advertising purposes: ACR allows you to create a user profile ascertaining his tastes and interests. Facebook has also been repeatedly accused of recording users’ audio without their knowledge: however, no evidence has been gathered.
Again, Pay Attention To The Individual Permissions Required By Android Apps
As we have repeatedly mentioned, too often, Android apps use more permissions than they need. It is, therefore, suitable to be wary of Android apps that request too broad permissions and, above all, licenses that have nothing to do with the features offered by the application.
Fortunately, starting with Android 6.0 Marshmallow, the operating system prompts the user whether or not to grant each app permission to use the single license.
The problem is that users often grant all permissions without thinking and that some apps only work if you give specific permissions (still worth a try before completely uninstalling the app).
For our part, with the most recent terminals (from Android 6.0 onwards), we suggest accessing the operating system settings, tapping Authorizations or Permissions then choosing Microphone.
Here you can check the apps that have requested the use of the Microphone and possibly revoke the authorization for those that should not capture the input audio. In addition to microphone usage permissions, we suggest checking the following licenses:
Over the last few months, as we explained in the article Android apps dangerous for security and privacy, there have been several cases of applications that raided each user’s address book once installed on the mobile device (some recent examples: Antivirus for Android, DU products in the storm: that’s why and Sarahah hijacked the contact list on mobile devices ).