Wired & 404 Media: Thousands of mobile apps will collect location data by 2024, affecting the privacy of tens of millions of users

Thousands of popular mobile apps on Android and iOS are allegedly being exploited to collect sensitive location data on an unprecedented scale. This data collection via the advertising ecosystem is likely happening without the knowledge of users or even the app developers themselves.

The information comes from hacked files from Gravy Analytics, a location data company whose subsidiary Venntel sold global location data to U.S. law enforcement agencies. Wired reported the information and worked with 404 Media to produce this report.

The data breach exposed a vast network of apps, ranging from popular games like Candy Crush to dating apps like Tinder and Grindr. It also included sensitive categories like pregnancy tracking and religious prayer apps.

“We have what appears to be the first public demonstration that one of the largest data brokers selling data to commercial and government clients appears to be harvesting data from online advertising ‘bidding streams’ rather than embedding code into the applications themselves,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, told 404 Media.

The news sheds new light on the world of real-time bidding (RTB), the process by which companies bid to place ads in apps. However, the system has a dangerous side effect: data brokers can intercept the process and obtain the location data of mobile phone users.

Edwards described this as a "privacy nightmare", adding: "There are companies that are like global honey badgers, doing whatever they want with every piece of data."

The scale of the data collection is staggering. The hacked Gravy data included tens of millions of cell phone coordinates from devices in the United States, Russia, and Europe. The list of affected apps is extensive, covering categories such as social networks, fitness trackers, email clients, and even VPN apps that users download to protect their privacy.

Although the data breach appears to involve Gravy Analytics, it remains unclear whether Gravy collected the location data itself or obtained it from another source. The dataset, which dates back to 2024, is a rare glimpse into the opaque world of the location data industry.

Gravy Analytics plays a pivotal role in this ecosystem, aggregating mobile phone location data from various sources and selling it to commercial entities or government agencies through its subsidiary Venntel. Previous investigations have shown that Venntel's customers include multiple U.S. government agencies, such as Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), Internal Revenue Service (IRS), Federal Bureau of Investigation (FBI) and Drug Enforcement Administration (DEA).

This data collection has far-reaching implications, raising serious privacy concerns and highlighting how the data could be used for purposes the user never intended or agreed to. For example, the media has shown how a tool called "Locate X" used Venntel data to monitor visitors to out-of-state abortion clinics.

Most of the app developers and companies on the list did not respond to requests for comment. However, Flightradar24 said in an email that it had never heard of Gravy but acknowledged that the ads were displayed to “help keep Flightradar24 free.”

Tinder denied any relationship with Gravy Analytics, while Muslim Pro (one of the affected prayer apps) claimed that it did not authorize the ad network to collect its users’ location data.

The discovery that this data appears to have originated from real-time bidding is particularly significant. It shifts the blame onto bad actors in the ad industry and the tech giants that facilitate it. It also suggests that many large app publishers may be unaware that their user data is being stolen, making it difficult to take preventative measures.

Krzysztof Franaszek, founder of digital forensics firm Adalytics, reviewed the leaked data and noted that "at least some of this data is likely coming from real-time bidding related to advertising." He pointed to evidence that Google's advertising platform is serving some ads that enable this kind of tracking by outside companies, including potential government contractors.

The Federal Trade Commission has also recently taken action against similar practices. In December, the agency banned location data company Mobilewalla from collecting consumer data “for purposes other than participating in online ad auctions.” The FTC also ordered Venntel and Gravy Analytics to delete historical location data and prohibited them from selling data related to sensitive areas (such as medical clinics and religious sites), except in limited circumstances.

From Chinese Industry Information Station