Hundreds of Android apps could be covertly tracking users via inaudible sounds emitted by nearby devices, researchers have found.

Researchers discovered technology that lets devices talk to one another for tracking purposes using ultrasonic tones on 234 Android apps.

Televisions, billboards, websites and shops can emit the high frequency sounds, which can’t be heard by humans but are picked up by the apps. This signals whether a person has engaged with an advert by watching it, or visited a shop, and how long for.

Apps featuring the technology include those from McDonald’s and Krispy Kreme. Major companies could be using it to track customers’ location and habits, both on and off their mobile devices, without them knowing, the researchers warned.

“An adversary can monitor a user’s local TV viewing habits, track their visited locations and deduce their other devices,” said the researchers. “They can gain a detailed, comprehensive user profile with a regular mobile application and the device’s microphone.”

The tracking method has spiked in popularity recently, according to the researchers. Two years ago just five apps in the Google Play store used the technology. Now, it is allegedly present in 234.

As well as tracking customers’ habits, the beacon technology can also be used to send them targeted adverts. Given that the tool can connect location and habits with the device, it could also be used to identify anonymous users, such as those of Bitcoin and Tor.

The researchers from the Braunschweig University of Technology warned that millions of users could be under surveillance without knowing after they found that a sample of five of the 234 apps had been downloaded up to 11 million times.

Five of the 234 apps that were built using the SilverPush SDK

The majority of the apps don’t alert users that they are tracking them. All they require to be able to follow users is permission to access the device’s microphone.

“The user just needs to install a regular mobile application that is listening to ultrasonic signals through the microphone in the background,” said the researchers. “Once the user has installed these applications on their phone, they neither know when the microphone is activated nor are they able to see what information is sent to company servers.”

Silverpush, the company that created the listening tool, denied that its technology was still being used. It stopped supporting the software in 2015 following a privacy outcry.

“We respect customer privacy and would not want to build our business foundation where privacy was questionable,” Hitesh Chawla, founder of Silverpush, told Ars Technica. “Even when we were live, our software was not present in more than 10 to 12 apps. So there is no chance that our presence in 234 apps is possible.

“Every time a new handset gets activated with our software, we get a ping on our server. We have not received any activation for six months now.”

Google said its privacy policy requires apps to disclose how they collect, use and share customer data.

McDonald’s said it did not use the technology in the UK for marketing purposes. Krispy Kreme has been contacted for comment.