Ultrasound “beacons” are set up in various locations such as within stores. Apps that run on smart phones are constantly listening for ultrasound beacons (which are emitted above the audible range so we cannot hear them). Each beacon can encode a unique ID to be used to determine proximity to a specific location.
In some cases, ultrasound or other types of audible signals can be embedded in television or audio programming and apps can detect what you are listening to.
Two studies have examined the deployment and implications of ultrasonic beacons. Arp et al. measured the prevalence of ultrasonic beacons in the wild, and found them deployed on websites and in stores. Furthermore,they found 234 apps in the Google Play Store that were constantly, passively monitoring for these beacons, in order to track users’ online and offline browsing behaviors . Mavroudis et al. consider various attacks against users that leverage ultrasonic beacons, including de-anonymizing Tor users .
Source (academic paper): Panoptisypy: Characterizing Audio and Video Exfiltration from Android Applications
Numerous apps are using access to the array of environmental sensors (including cameras, microphones and more) to assess the environment in which the phone is being carried.