Android phones can be tracked without using their GPS or wi-fi data by studying their power use over time, a study has found.
A smartphone uses more power the further away it is from a cellular base and the more obstacles are in its way as it reaches for a signal.
Additional power use by other activities could be factored out with algorithms, the researchers found.
They created an app designed to collect data about power consumption.
"The malicious app has neither permission to access the GPS nor other location providers (eg cellular or wi-fi network)," the team - Yan Michalevsky, Dan Boneh and Aaron Schulman, from the computer science department at Stanford University, along with Gabi Nakibly, from Rafael Ltd - wrote in their paper.
"We only assume permission for network connectivity and access to the power data.
"These are very common permissions for an application, and are unlikely to raise suspicion on the part of the victim."
There are 179 apps currently available on Android app store Google Play that request this information, the team add.
Activity such as listening to music, activating maps, taking voice calls or using social media all drain the battery but this can be discounted due to "machine learning", the report says.
"Intuitively the reason why all this noise does not mislead our algorithms is that the noise is not correlated with the phone's location," it says.
"Therefore a sufficiently long power measurement (several minutes) enables the learning algorithm to 'see' through the noise."
The tests were carried out on phones using the 3G network but did not measure signal strength as that data is protected by the device.
'Stuffed with sensors'
"With mobile devices now becoming ubiquitous, it is troubling that we are seeing so many ways in which they can be used to track us," said cyber-security expert Prof Alan Woodward, from Surrey University.
"I think people sometimes forget that smartphones are stuffed full of sensors from gyroscopes and GPS to the more obvious microphones and cameras.
"This latest work shows that even that basic characteristics (power consumption) has the potential to invade privacy if monitored in the right way," he added.
"We are approaching the point where the only safe way to use your phone is to pull the battery out - and not all phones let you do that."
This sounds like the title of a children’s book, but unfortunately the issue highlighted in the press this week is more concerning than a story. The pre-loading of the SuperFish software on the Lenovo machines introduced a vulnerability to users even before they unboxed their new laptop.
There are several issues with the pre-installed application, one is that it is an ad-injector which inserts adverts into your browser based on what you are searching for, and without being an expert at identifying these you might be directed to sites to purchase things without understanding why.
To do this more effectively, Superfish also installs a root certificate which allows them to see traffic on encrypted websites, like your banking website, that you might have considered private and secure.
This is a bit like me giving out the keys to your house and could be abused by other malicious people and used to capture passwords and other personal information.
AVG detects and removes the Superfish add-on. If you have attempted to download something it was bundled with then AVG would have detected and blocked it advising the user it was an ‘unwanted application’ and potentially harmful.
This means no part of it was ever installed – good for existing AVG users, but what about if you have purchased a Lenovo and then installed an anti-virus product, the risk here is that full removal of some parts are difficult to remove as they are embedded into the system.
This week Lenovo has been re-active to this anddeveloped a removal tool which you can download here. There are also manual instructions available should you want to do this yourself.
There is a much wider issue for consumers though, it’s becoming very difficult to know which products and manufacturers to trust and who is doing what with our data.
There are discussions in the tech industry on improving transparency so that consumers can once again have confidence in brands.
I believe that over the next few months we will see progress in a more coordinated effort by the security industry to protect users from these types of applications.
If you are at all concerned then be sure to run a full system scan from you Anti-Virus product and ensure that the updates have been run. If you’re running an expired product then either renew it or download the AVG AntiVirus Free solution here.
Running a small to medium business can be daunting as you juggle staff, clients, products, suppliers, finances, and the list goes on.
While you’re busy doing all of the above and more, have you ever thought about your business security and the risks that can be posed by your ex-employees? Do you have an exit strategy for your business where staff are given an exit interview, keys handed in and then all computer access removed for them?
With just under 3 months to go until Microsoft stops supporting Windows XP, it’s worth starting to plan what your business is going to do as the deadline draws nearer. That is, if you are still using it.
Perhaps you think that if you just continue as you are that “everything will be alright”, or have the attitude of “she’ll be fine mate, we’re careful”.
But if you’re approaching your business IT solutions in this way, it can be a nasty wake up call for you when issues arise and you can’t continue trading due to the loss of data or funds.
So here are some things to think about if your business still uses Windows XP: