Some of the world’s most popular apps have likely been co-opted by rogue members of the ad industry to collect sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary previously sold global location data to US law enforcement.
Thousands of apps, included in the hacked files from location data company Gravy Analytics, include everything from games like Candy Crush and dating apps like Tinder to pregnancy trackers and religious prayer apps on Android and iOS. Because much of the collection occurs through the advertising ecosystem—rather than code developed by app creators themselves—this data collection likely occurs without the knowledge of users or even app developers.
“For the first time publicly, we appear to have evidence that one of the largest data brokers selling to commercial and government clients appears to be collecting their data from the ‘offer stream’ for online advertising,” instead of code embedded in the apps themselves. , Zach Edwards, a senior threat analyst at cybersecurity firm Silent Push who has followed the location data industry closely, tells 404 Media after reviewing some of the data.
The data provides a rare insight into the world of real-time bidding (RTB). Historically, location data companies developers of paid applications include code packages that collected data about the location of their users. Many companies have turned instead finding location information through the advertising ecosystemwhere companies bid to place ads within apps. But a side effect is that data brokers can eavesdrop on that process and collect information about the location of people’s mobile phones.
“This is a nightmare scenario for privacy, because not only does this data breach contain data extracted from RTB systems, but there is also some company acting like a global honeybee, doing whatever it wants with any data that comes its way” , says Edwards.
Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices in the US, Russia and Europe. Some of these files also list the application next to each piece of location data. 404 Media extracted the app names and made a list of the mentioned apps.
The list includes dating sites Tinder and Grindr; mass games such as Candy Crush, Temple Run, Subway Surfersand Harry Potter: Riddles and Spells; transportation app Moovit; My Period Calendar & Tracker, a period tracking app with over 10 million downloads; the popular fitness application MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 Office application; and Flightradar24 flight tracking. The list also mentions more religion-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy tracking apps, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.
You can find a complete list here. More security researchers they announced other lists applications included in the data, of different sizes. Our version is relatively larger because it includes both Android and iOS apps, and we decided to keep duplicate instances of the same app that had slight name variations to make it easier for readers to find the apps they installed.
While this data set came from an apparent hack of Gravy, it’s unclear whether Gravy collected this location data itself or obtained it from another company, or which location company ultimately owns or has a license to use it.