Some of the world's most popular apps are being co-opted by nefarious members of the advertising industry to collect sensitive location data on a massive scale, and that data is going to a location data company whose subsidiary previously collected global location data. Sold to America. Law enforcement.
thousands of apps, Hacked files include Location data company Gravy Analytics covers everything from games to candy crush And everything from dating apps like Tinder to pregnancy tracking and religious prayer apps are available on both Android and iOS. Because most of the collection is happening through the advertising ecosystem – not code developed by the app makers themselves – this data collection is likely happening without the knowledge of users or even the app developers.
“For the first time publicly, we have found evidence that one of the largest data brokers selling to both commercial and government clients is obtaining its data from online advertising 'bid streams,' rather than code embedded in apps. From.” , Jack Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data.
The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developer Including bundles of code that collect location data of their users. Many companies have turned instead Capturing location information through the advertising ecosystemWhere companies bid to place advertisements inside apps. But a side effect is that data brokers can listen to that process and get the location of people's mobile phones.
“This is a nightmare for privacy, because this data breach not only involves data scraped from RTB systems, but there is some company out there that is acting like a global honey badger, taking advantage of all the data that comes its way. Doing whatever she wants with each piece. , says Edwards.
The hacked gravy data includes millions of mobile phone coordinates of devices in the US, Russia and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and created a list of the mentioned apps.
The list includes dating sites Tinder and Grindr; such as large scale games candy crush, Temple run, subway SurferAnd Harry Potter: Riddles and Spellstransit app Mobility; My Period Calendar & Tracker, a period-tracking app with over 10 million downloads; The popular fitness app MyFitness Pro; social network Tumblr; Yahoo's email client; Microsoft's 365 Office apps; and flight tracker Flightradar24. The list also mentions several religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and several VPN apps that some users may download in an effort to protect their privacy.
The full list can be found Heremultiple security researchers has published other lists The data includes apps of different sizes. Our version is relatively large because it includes both Android and iOS apps, and we decided to keep duplicate instances of the same app that had minor variations in their names to make it easier for readers to find the apps they installed.
Although this dataset comes from an apparent hack of Gravy, it is unclear whether Gravy collected this location data itself or obtained it from another company, or which location company ultimately owns it or has access to it. Licensed.