Mobile apps exploited to harvest location data on massive scale, hacked files reveal

Skye Jacobs

Posts: 1,986   +58
Staff
A hot potato: Thousands of popular mobile apps across Android and iOS are allegedly being exploited to harvest sensitive location data on an unprecedented scale. This data collection, occurring through the advertising ecosystem, is likely happening without the knowledge of users or even app developers themselves.

The information comes from hacked files belonging to Gravy Analytics, a location data company whose subsidiary, Venntel, has previously sold global location data to US law enforcement agencies. This information was reported by Wired, which collaborated with 404 Media to produce the story.

The data breach has exposed a sprawling network of apps, ranging from popular games like Candy Crush to dating apps such as Tinder and Grindr. It also includes sensitive categories such as pregnancy tracking and religious prayer apps.

"For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising 'bid stream,' rather than code embedded into the apps themselves," Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, told 404 Media.

This revelation sheds light on the world of real-time bidding (RTB), a process where companies bid to place ads inside apps. However, this system has a dangerous side effect: data brokers can intercept this process and harvest the location data of mobile phone users.

Edwards described this as "a nightmare scenario for privacy," adding that "there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way."

The scale of this data collection is staggering. The hacked Gravy data includes tens of millions of mobile phone coordinates from devices in the United States, Russia, and Europe. The list of affected apps is extensive, covering a wide range of categories including social networks, fitness trackers, email clients, and even VPN apps that users may have downloaded in an attempt to protect their privacy.

Although the data breach appears to involve Gravy Analytics, it remains unclear whether Gravy collected this location data itself or obtained it from another source. The dataset, which dates to 2024, offers a rare glimpse into the opaque world of the location data industry.

Gravy Analytics plays a pivotal role in this ecosystem, aggregating mobile phone location data from various sources and selling it to commercial entities or government agencies via its subsidiary, Venntel. Previous investigations revealed that Venntel's clients include several U.S. government agencies, such as Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), the IRS, the FBI, and the DEA.

The implications of this data collection are far-reaching, raising serious privacy concerns and highlighting the potential for this data to be used in ways that users never intended or consented to. For instance, 404 Media and other outlets previously demonstrated how a tool called Locate X, powered by Venntel's data, could be used to monitor visitors to out-of-state abortion clinics.

Most app developers and companies included in the list did not respond to requests for comment. However, Flightradar24 stated in an email that it had never heard of Gravy but acknowledged displaying ads to "help keep Flightradar24 free."

Tinder denied any relationship with Gravy Analytics, while Muslim Pro, one of the affected prayer apps, claimed it does not authorize ad networks to collect location data of its users.

The discovery that this data appears to originate from real-time bidding is particularly significant. It shifts accountability toward rogue actors in the advertising industry and the tech giants that facilitate it. It also suggests that many major app publishers may be unaware their users' data is being harvested, making it difficult for them to take preventive measures.

Krzysztof Franaszek, founder of digital forensics firm Adalytics, reviewed the leaked data and observed that "at least some of this data would likely have been sourced from advertising-related real-time bidding." He noted evidence that Google's advertising platform is serving some of the ads that enable this tracking by outside companies, including potential government contractors.

The FTC has recently taken action against similar practices. In December, the agency banned location data company Mobilewalla from collecting consumer data "from online advertising auctions for purposes other than participating in those auctions." The FTC also ordered Venntel and Gravy Analytics to delete historical location data and barred them from selling data related to sensitive areas, such as health clinics and places of worship, except under limited circumstances.

Permalink to story:

 
Remember when Google had the audacity of forcing people to not block ads with their Manifest V3? What's in V4 people's SSN and CC numbers served right there too?

Seriously in a fair world we should be way past Google being broken up, that's now the bare minimum and next step up is top management at Google facing some consequences for this, yes including jail time.
 
If EVERYONE blocked ads the ad business would die in a week.
Many people either don't care, are unwilling to figure out how or (wtf?) WANT ads.

I OWN my rather expensive monitor and decide what's onscreen, and I definitely refuse virtual salesmen access to my home and wallet.
Good luck abusing my location data and btw I'm in Amsterdam, NL.
 
I just watched a 2024 documentary titled "Surveilled". If, you use a cell phone, you want to watch this! It was amazing what a program called "Pegasus" can do to your cell phone. You can watch it free on "1FreeMoviesFull" search bar at the top, type in Surveilled, and it will take you to the film. The servers they use don't always work, you may have to come back later. But it will eventually work.


Synopsis for Surveilled:
Uncover the insidious ways in which our daily lives are being surveilled by the state. In a gripping chase, Ronan Farrow travels across the world following breadcrumbs and finally exposing a dark world of spywares, hacking, and peddling of private information, where activists and journalists are persecuted, and no one is protected from the watchful and vicious eyes of authoritarianism.
Released: 2024-11-15
Genre: Documentary
Casts: Ronan Farrow,
 
Last edited:
Remember when Google had the audacity of forcing people to not block ads with their Manifest V3? What's in V4 people's SSN and CC numbers served right there too?

Seriously in a fair world we should be way past Google being broken up, that's now the bare minimum and next step up is top management at Google facing some consequences for this, yes including jail time.

Yes..........................LOTS of jail-time-as in DECADES.
And BIG fines.
 
Back