Candy Crush, Tinder, MyFitnessPal: See thousands of apps hijacked to spy on your location
Some of the world’s most popular apps are likely being abused by fraudulent members of the advertising industry to collect sensitive location data on a massive scale. This data then ends up with a location data company whose subsidiary previously sold global location data to US law enforcement.
The thousands of apps, contained in hacked files from location data company Gravy Analytics include everything from games like Candy Crush and dating apps like Tinder to pregnancy tracking and religious prayer apps for Android and iOS. Since much of the data collection occurs through the advertising ecosystem and not through code developed by the app creators themselves, this data collection likely occurs without the knowledge of users or even the app developers.
“For the first time, we appear to have evidence that one of the largest data brokers, which sells to both commercial and government customers, appears to be getting its data from the online advertising “bid stream,” rather than from code built into the apps itself, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who follows the location data industry closely, told 404 Media after reviewing some of the data.
The data offers a rare glimpse into the world of real-time bidding (RTB). Historically, location data companies paid app developers to include bundles of code that collect their users’ location data. Many companies have turned to instead Obtaining location information across the advertising ecosystembid with the company to place ads in apps. However, a side effect is that data brokers can listen in on this process and determine the location of people’s cell phones.
“This is a data protection nightmare scenario because not only is this data breach involving data stolen from the RTB systems, but there is a company out there that is behaving like a global honey badger with every piece of data “Anything that gets in its way does whatever it wants,” says Edwards.
Included in the hacked Gravy data are tens of millions of cell phone coordinates from devices in the United States, Russia and Europe. In addition to individual location data, some of these files also point to an app. 404 Media extracted the app names and created a list of mentioned apps.
The list includes dating sites Tinder and Grindr; huge games like Candy Crush, Temple Run, Subway surfersAnd Harry Potter: Puzzles and Spells; Public transport app Moovit; My Period Calendar & Tracker, a period tracking app with more than 10 million downloads; popular fitness app MyFitness Pro; social network Tumblr; Yahoo’s email client; Microsoft’s 365 Office app; and flight tracker Flightradar24. The list also mentions several religiously focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps that some users ironically download to protect their privacy.
The full list can be found here Here. Several security researchers have published other lists of the apps of different sizes contained in the data. Our version is relatively larger as it contains both Android and iOS apps. We decided to keep duplicate instances of the same app with slight naming variations to make it easier for readers to find installed apps.
Although this data set appears to have come from a hacking attack on Gravy, it is not clear whether Gravy collected this location data itself or obtained it from another company, or which location company ultimately owns this data or has a license to use it.
