Industry News

Shazam for Mac keeps listening, even after you’ve switched it off

Shazam is a pretty neat app. You hear a piece of music, and want to know what it is. So you fire up Shazam, and after listening to the music for a few seconds fires back an answer to you. Very clever.

I suspect most people, if they run it at all, use Shazam on their smartphone so they can identify a music track while they’re out at a bar or at a party. But you can also run it on your Windows PC or Mac.

And, according to Mac security researcher Patrick Wardle, there’s a peculiarity in Shazam’s macOS edition which might give Apple fans some cause for concern.

Wardle, you may remember, is the researcher who discovered that Mac malware could piggyback on legitimate webcam use, recording audio and video, without drawing attention to itself. After all, if you *meant* for your webcam to be on because you are, for instance, having a Skype call then you’re not surprised to see the webcam’s light switched on, signifying it is watching you.

That, however, is webcams. And webcams have one major difference over the microphone that apps like Shazam use. Microphones typically don’t give any visual indication that they are in use. And if you’re worried about being secretly recorded, that’s a concern.

Now Wardle has confirmed that the Shazam app for Macs keeps the computer’s microphone switched on even after a user has switched it off. A user of Wardle’s free OverSight utility that monitors whenever a process accesses the webcam or internal microphone, uncovered the peculiar behaviour:

“Thanks to Oversight, I was able to figure out why my mic was always spying on me. Just to let you know, the Shazam widget keeps the microphone active even when you specifically switch the toggle to OFF in their app. Scary.”

Indeed, Oversight doesn’t display that access to the built-in microphone has been disabled when Shazam’s microphone is turned off.shazam-oversight

Wardle’s investigations uncovered that Shazam is “always recording even when the user has toggled it to ‘OFF'”.

The good news, is that he found no evidence that recorded data was being processed, saved or sent to a third-party server.

Shazam itself has confirmed his findings, explaining that it plans to address the issue in a future version of the program:

“The iOS and Mac apps use a shared SDK, hence the continued recording you are seeing on Mac. We use this continued recording on iOS for performance, allowing us to deliver faster song matched to users. As you rightly point out the SDK still pulls audio but doesn’t process it on Mac when the switch is togged ‘OFF’. We will look to address this in a future update.”

In short, if Shazam didn’t keep the microphone on it would take longer to start-up and start buffering the audio that it needs to analyse to make song matches. Users would, no doubt, be miffed by any reduction in performance – but at what cost does this extra performance come?

As The Register reports, there may be a genuine security risk that malware could piggyback on legitimate use of the Shazam app just as it could with legitimate use of a webcam:

“A piece of malware could easily inject into the app and ‘steal’ or ‘clone’ that recording, without having to initiate its own recording (thus avoiding any recording alerts)”

Shazam may be right that there is a bigger risk of users suffering a poor user experience than having their privacy invaded by Shazam-aware malware, but I’m still left feeling somewhat uncomfortable.

In my view, if an app gives you the option of turning off its access to your microphone I expect it to do precisely that – not to keep pulling audio from the built-in mic regardless.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.