Thousands of popular apps, including Candy Crush, Tinder, and MyFitnessPal, are potentially being...
Hacked files from Gravy Analytics, a company that sells mobile phone location data to commercial businesses and government agencies (via its subsidiary Venntel), reveal how location data is harvested through real-time bidding (RTB) within the advertising ecosystem. Instead of directly collecting data from apps, companies now obtain location information by monitoring the RTB process where advertisers bid for ad space within apps.
The hacked Gravy data includes tens of millions of mobile phone coordinates from the US, Russia, and Europe, with some files referencing a specific app. The list of apps found in the data includes:
• Dating apps: Tinder and Grindr
• Games: Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells
• Transit app: Moovit
• Period-tracking app: My Period Calendar & Tracker
• Fitness app: MyFitnessPal
• Social network: Tumblr
• Email client: Yahoo’s email client
• Office app: Microsoft’s 365 office app
• Flight tracker: Flightradar24
• Religious apps: Muslim prayer and Christian Bible apps
• Various pregnancy trackers
• Many VPN apps
It appears that some of this data could date back to 2024 based on references to the Season 5 iteration of Call of Duty: Mobile, which was released in May 2024.
While it is not confirmed whether Gravy collected this data themselves or obtained it from another company, the hacked data exposes the vast scope of apps potentially involved in a location data supply chain, often without the developers' awareness. Many app developers and companies mentioned in the list did not respond to requests for comment. Those who did respond stated that they had no relationship with Gravy Analytics and did not authorize ad networks to collect location data. However, this does not rule out the possibility that entities within the advertising ecosystem can still extract such data.
The significance of this data being sourced through RTB highlights a few key points:
• Responsibility: Rogue members of the advertising industry and the tech giants that facilitate that industry are likely responsible for this data collection.
• User Protection: Attempting to block ads could be a way for users to protect themselves.
• App Publisher Awareness: Massive app publishers may not be aware that their users' data is being collected. They therefore might not know how to stop it.
Surveillance firms can obtain RTB data by posing as prospective advertisers and acquiring ad tech companies. They can collect data on devices simply by being part of the advertising industry, even without successfully placing ads. Location data in this scenario can also include a user's IP address, which is then used to determine their general location.
Evidence suggests that Gravy may have sourced its data by interacting with the advertising system rather than through location-tracking code embedded in apps. This is supported by the presence of user-agents in the files referencing "afma-sdk", a string used by Google's Mobile Ads SDK. This suggests that Google's advertising platform may be inadvertently contributing to the tracking by outside companies and potentially government contractors. However, Google did not respond to requests for comment.
The findings in the Gravy Analytics data raise serious concerns about the extent of location data harvesting through the advertising ecosystem and the lack of transparency surrounding these practices. The case of the Clare County couple highlights that criminals may use seemingly ordinary tools to deceive their victims. The use of seemingly harmless apps to collect sensitive location data further emphasizes the need for vigilance and proactive measures to protect personal information in an increasingly interconnected world.
