Security Experts:

Shazam for Mac Keeps Listening Even When Disabled

The Mac version of the Shazam music discovery application keeps the device’s microphone active even after the user has switched off the app. While it doesn’t appear that Shazam is trying to spy on users, this behavior does have some security implications.

Patrick Wardle, director of research at Synack, recently warned that malware could silently spy on Mac OS X users through the device’s webcam and microphone by piggybacking on legitimate applications that use these functions, such as FaceTime and Skype.

In an effort to help people protect themselves against potential attacks, Wardle developed a tool, named OverSight, that alerts the user when the webcam or the microphone become active and allows them to block the process if it seems suspicious.

One user of the OverSight tool discovered that the Shazam widget keeps the microphone active even when the app has been switched off. Wardle has reverse engineered Shazam and confirmed that the application continues recording even after it has been turned off, but the expert determined that it does not process the audio data while disabled.

“Though it appears that Shazam is always recording even when the user has toggled it 'OFF', I saw no indication that this recorded data is ever processed (nor saved, exfiltrated, etc),” Wardle said in a blog post. “However, I still don't like an app that appears to be constantly pulling audio off my computer's internal mic. As such, I'm uninstalling Shazam as quickly as possible!”

The researcher believes a piece of malware could exploit this functionality to capture audio from the microphone without initiating a recording itself.

Shazam developers don’t see this behavior as a serious security risk, but they have promised to address the issue in the next days.

"We are always sensitive to what our users experience and we respect these concerns and take them very seriously. Even though we don't recognize a meaningful risk, the company will be updating its Mac app within the next few days,” James A. Pearson, VP of global communications at Shazam, said in an emailed statement. “Shazam has always learned from and listened to our global community. More importantly, we want our fans to always feel secure about using Shazam on a Mac Desktop."

“Contrary to recent rumors, Shazam doesn’t record anything. Shazam accesses the microphone on devices for the exclusive purpose of obtaining a small fingerprint of a subset of the soundwaves, which are then used exclusively to find a match in Shazam’s database and then deleted,” Pearson added.

*Updated with additional clarifications from Shazam

Related: New Tool Aims to Generically Detect Mac OS X Ransomware

Related: Little Snitch Flaw Exposed Mac Systems to Attacks

Related: Apple's Gatekeeper Bypassed Again

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.