Some Android systems always listen to BTLE beacons and transmit them to a Google server if the user has activated the "Google Location History" function together with either "High accuracy location mode" or "Bluetooth scanning". This is a configuration that is found among a large number of users.

Does this functionality also apply to the BTLE beacons sent out from the Corona app on other devices? This means that all Android phones configured as described above, even those which do not have the Corona App installed, can register the ephIDs of nearby Corona App users and send them to a Google server. This results in considerable data protection risks:

1. Google records the contact history of even those users who do not use the Corona App themselves (henceforth: 'non-users'). The only requirement is that the user has activated the "Google Location History" function and at the same time switched on the "High accuracy location mode" or "Bluetooth Scanning".

2. If users publish their ephIDs after testing positive, Google can use these records to determine which Android devices had contact with this infected user. Google is thus able to determine exposure events doe a large number of devices at once, including non-users.

3. By triangulating the registered BTLE beacons of several Android devices in close proximity, it can be assumed that Google can also map ephIDs to the sending devices, even before a user publishes his/her ephIDs upon testing positive.

4. Google can combine this information with account information including names, phone number and email address of users and non-users.

5. Auditing the DP3T system and user devices alone is not enough to mitigate this risk. All Android devices would have to get "audited" because all devices might collect beacons and send them to Google. This also applies to users not updating their Android.

Because the technical infrastructure for this attack already exists and in principle scales to the entirety of all Android users, the risk associated with this attack is very high. In particular, it should be pointed out that this vulnerability also includes collection of health related data of uninvolved parties, that is, users who do not install the Corona app themselves.