Some of the world’s most popular apps may have been co-opted by rogue members of the advertising industry to generate sensitive location data on a large scale, with the data ending up with location data companies whose subsidiaries have previously sold global location data to US law enforcement. Thousands of apps, included in the file hacked from the location data company Gravy Analytics, including everything from games like Candy love and dating apps like Tinder to track pregnancy and religious prayer apps between both Android and iOS. Because most collection occurs through the advertising ecosystem—not code developed by the app creators themselves—this data collection may occur without the knowledge of the user or even the app developer. one of the largest data brokers selling to commercial and government clients appears to be getting data from the ‘bid stream’ of online ads,” rather than code embedded in the app, said Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the data industry location closely, tells 404 Media after reviewing some of that data. Historically, location data companies have paid app developers to include code packages that collect user location data at applications. But the side effect is that data brokers can listen to people’s cell phone locations. Some companies are out there acting like global honey badgers, doing whatever they want with every piece of data that comes in,” Edwards said. Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices in the US, Russia, and Europe. Some of these files also reference apps next to each piece of location data. 404 Media takes the name of the app and creates a list of the mentioned apps. The list includes dating sites Tinder and Grindr; great games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; the Moovit transit app; My Period Calendar & Tracker, a period tracking app with over 10 million downloads; popular fitness app MyFitness Pro; social network Tumblr; Yahoo email client; Microsoft 365 office applications; and flight tracker Flightradar24. The list also mentions various religion-focused applications such as Muslim prayer and Christian Bible applications, various pregnancy trackers, and many VPN applications, which some users may download, ironically, to protect their privacy. The full list can be found here. A number of security researchers have published lists of other applications included in the data, of varying sizes. Our version is relatively larger because it includes both Android and iOS applications, and we decided to keep a duplicate example of the same app that has a little name variation to make it easier for readers to find installed applications. Although this dataset comes from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or a source from another company, or the location company ultimately owns or has been licensed to use.
