ALERT: Android Apps Loaded With Secret Tracking Code

When you download a popular app from Google Play to your smart-phone, you are likely also installing hidden spyware that may ultimately hurt you.

Smart phone with binary code overlay

Smart phones are also tracking devices and may contain highly intrusive spyware.

Today the Yale Privacy Lab issued a Black Friday Alert about spyware embedded in Android Play Apps.

Most mobile phone users have an idea they might be tracked by their phones but are willing to accept the intrusion in exchange for the convenience and capabilities that a smart phone offers. But, most smart phone users haven't really thought the issue through and many may not be aware of the real dangers of being spied on all the time.

Privacy Lab recently published details from its research into 25 trackers hidden inside popular Google Play apps such as Uber, Tinder, Skype, Twitter, Spotify, and Snapchat. Most of the apps are used for targeted advertising, behavioral analytics, and location tracking.

The 25 trackers are a sample of the 44 identified-to-date by security researchers at Exodus Privacy, a non-profit organization based in France. Their Web-based privacy auditing platform, also named Exodus, analyzes apps available via Google Play. Exodus scans apps for the signatures of known trackers and identifies Android operating system permissions. More than 75% of the 300+ apps analyzed by Exodus contain the signatures of trackers.

To coincide with Privacy Lab’s publication, the Exodus organization has made its app auditing platform available to the public at and is releasing the code as Free and Open-Source Software.

Privacy Lab has studied the data from Exodus output and is providing insight into the origin of advertising trackers, the companies behind them, and their surveillance practices.

Network activity originating from these Android apps crosses multiple countries and legal jurisdictions. Lack of transparency about the collection, transmission, and processing of data via these trackers raises serious privacy concerns and may have grave security implications for mobile software downloaded and in active use by billions of people worldwide.

There is an entire industry based upon these trackers and the compiling, analysis and reselling of the data. Some of the biggest customers for this data are insurance companies and government intelligence agencies.

The spyware problem is expanding rapidly and apps identified as “clean” today may contain trackers that have not yet been identified or secretly update themselves later with known trackers.

The Exodus platform identifies trackers via signatures, like an anti-virus or spyware scanner, and thus can only detect trackers previously identified by researchers at the time of the scan.

Trackers and the Android apps wrapped around them are partial “black boxes”, as is Google Play itself. Other software markets such as the Apple iOS store also have this deficiency, making app analysis and auditing difficult. Many of the same companies distributing Google Play apps also distribute apps via Apple, and tracker companies openly advertise Software Development Kits (SDKs) compatible with multiple platforms. Thus, advertising trackers may be concurrently packaged for Android and iOS, as well as more obscure mobile platforms.

Insights into the advertising tracker business are often gleaned directly from tracker companies. FidZup, for example, has developed “communication between a sonic emitter and a mobile phone… by diffusing a tone, inaudible to the human ear, inside a building [FidZup] can detect the presence of mobile phones and therefore their owners”. Users installing “Bottin Gourmand”, a guide to restaurants and hotels in France, would thus have their physical location tracked via retail outlet speakers as they move around Paris. Their experience would be shared by readers of car magazine app “Auto Journal” and TV guide app “TeleStar”.

FidZup’s practices closely resemble those of Teemo (formerly known as Databerries), the tracker company that was embroiled in scandal earlier this year for studying the geolocation of 10 million French citizens, and SafeGraph, who “collected 17 trillion location markers for 10 million smartphones during [Thanksgiving] last year”. Both of these trackers have been profiled by Privacy Lab and can be identified by Exodus scans.

Perhaps more disconcerting is the potential impact of advertising trackers on the finances and healthcare of users. One app analyzed by Exodus, Mon AXA (“My AXA”), is developed by a multinational insurance and financial firm, and was found to contain six trackers. Exactly what information is shared is unknown, though the data stored by the app is extremely sensitive: “All Services of AXA France in Your Pocket”. Other AXA apps have been found to contain trackers, including “HealthLook”, “AXA Banque”, and “My Doctor”. They are joined by apps from Aetna, the American Red Cross, WebMD, American Express, Discover, HSBC, Wells Fargo, and PayPal.

How The Data Can be Used Against You

The information generated by the spyware in your phone is currently used primarily for marketing purposes but in the future will certainly be used for much more. Following are some possible scenarios where law-abiding people are harmed by spyware.

  • A man on disability visits a friend working at a gym. His disability is denied because a company spying on him claims that he was working out at the gym and is therefore not disabled.
  • A woman involved in a custody battle for her children is deemed an unfit mother and denied custody because of a conversation she had with another person was recorded by her phone and it was taken out of context.
  • A man loses his job after his phone is shown to be at a shopping mall when he was supposed to have been home sick.
  • A man with cancer is denied coverage by his insurance company because the camera in his phone seemingly took a photo of him smoking when he claimed that he was a non-smoker. The man is bankrupted by medical bills and dies from the stress.
  • A woman with a gambling addiction is repeatedly shown custom tailored ads to exploit her weakness. She loses her family and home.
  • A man is arrested and charged with bank robbery because his phone showed him in the bank and leaving near the same time as the actual bank robber.
  • A student is arrested and charged as a sex offender because a class-mate hacked his phone and turned on the camera at an inopportune time, then notified authorities that he had child porn on his phone.
  • A journalist's confidential whistle-blowing source is murdered after his phone is tracked and the camera used to photograph the source.
  • A man is blackmailed when his phone is used to record an illicit affair.
  • A wedding party is blown up by a drone and women and children killed because one of them was carrying a phone which had been used to secretly record a conversation in which someone expressed anti-American sentiments. (Already happens frequently outside the U.S.)

Something Even Scarier

One of the greatest threats from mobile phones is the microwave radiation they emit and the potential for it to disrupt brain function, damage DNA and be used for mind control.

Cell phones work by emitting radio waves in the microwave frequency band. The frequencies emitted have wave-lengths that are about the same size as the human head which makes it very easy to for them to penetrate through the skull and be absorbed by the brain.

A study conducted by Dr. Michael Klieeisen at the Spanish Neuro Diagnostic Research Institute in Marbella found that two minutes of cell phone usage disrupted brain function in children for up to an hour after the exposure ended. The abnormal brain function could result in psychiatric and behavioural problems and impair learning ability.

Patents going back to the 1960s have shown that using microwaves for mind control is extremely easy and there is some evidence that cell phone networks are already be used for mind control and social engineering.

It is quite possible that elections are already being influenced by microwave mind control. 

In addition, a mobile phone can be used for visual and auditory submliminal mind control. It is not difficult to embed images into the screen that appear for such a short time that the conscious mind cannot perceive them, just as it is possible to embed audio messages that can't be heard consciously.

It is not inconceivable that in the near future consumers will be influenced by their phones to buy certain products,  be loyal to a particular brand or engage in behavior they might normally engage in.  At present there are no real technological barriers to a malicious hacker, corporation or government agency distributing an app that emits a mind control signal. When those signals are tailored specificly to each person using information obtained over years of close surveillance, they are vastly more effective.

How to Reduce Your Risk

When it comes to spyware and smart phones it is safest to assume the worst and take measures to protect yourself.

1. Be aware that your phone is a tracking, recording and influencing device and that it can be used against you and will likely be used against you in the future. 

2. Don't install any apps unless they are essential and then uninstall them when no longer needed. Be aware that you may not actually be able to uninstall an app. Be sure to read the app's terms of usage before installing. When you accept the terms of most apps you are consenting to being spied on.

3 Leave your phone off when not needed and remove the battery when possible.

4 Cover the microphone and camera on your phone with a piece of tape when not needed.

5. Avoid using your phone for the Internet whenever possible.

6. When using a search engine use DuckDuckGo or another non-tracking search engine. 

7. Use a Virtual Private Network (VPN).

8. Learn to live without a cell phone and WiFi. We survived for millenia without them and can do so again.