Inside a Global Phone Spy Tool Monitoring Billions

A wide-spanning investigation by 404 Media reveals more details about a secretive spy tool that can tracks billions of phone profiles through the advertising industry called Patternz. From the report: Hundreds of thousands of ordinary apps, including popular ones such as 9gag, Kik, and a series of caller ID apps, are part of a global surveillance capability that starts with ads inside each app, and ends with the apps' users being swept up into a powerful mass monitoring tool advertised to national security agencies that can track the physical location, hobbies, and family members of people to build billions of profiles, according to a 404 Media investigation.

404 Media's investigation, based on now deleted marketing materials and videos, technical forensic analysis, and research from privacy activists, provides one of the clearest examinations yet of how advertisements in ordinary mobile apps can ultimately lead to surveillance by spy firms and their government clients through the real time bidding data supply chain. The pipeline involves smaller, obscure advertising firms and advertising industry giants like Google. In response to queries from 404 Media, Google and PubMatic, another ad firm, have already cut-off a company linked to the surveillance firm.

We have the power to end this.

[Anonymous Coward]

Maybe we should put an end to this now. Dump your cell phone plan. First get over the addiction to your smartphone. There's more to life than being "connected to forums and social media contacts". Visit your friends and family in person. You can talk then. If we do this the powers that be won't be able to keep tabs on us. When mobile phones evolved to what they are now I knew we were on a bad path. I dumped my Facebook account way back ... in 2014. Deleted all friends, contacts, photos, everyt

Dumb Phone

[pr0t0]

I'm not an off-grid living doomsday prepper type who transacts in cash with the security threads pulled out, but damn, stuff like this makes wonder if I might just be better off using a dumb flip phone. If nothing else, it would probably force me to live more "in the moment".

Then again, it would also force me to go back to terrestrial radio for music in the car. I...I don't think I can do that.

Re:Dumb Phone

[serafean]

Just get a "private and Free" phone.

From "normal" to extreme:
1 /e/OS
2 Lineage OS without google services
3 Librem 5 runing pureOS
4 pinephone running Postmarket OS.

I'm currently #2, trying #3. And I assure you, flip phone not necessary to kill off almost everything time wasting.

Re:

[jerryjnormandin]

I was thinking about switching my phone to a pinephone and keeping the old smartphone without service to use with my drones. You can't fly the Autel Evo, 3DR Solo, Parrot Bebop 2, or Fimi x8 mini FPV without a smartphone or tablet device. It doesn't require to be connected to the internet, just a connection to the drone controller. The data is not sent to the drone over wifi... it just uses the phone for some of the control inputs and the video stream.

Re:

[The-Ixian]

I have long been thinking about getting a Linux-based non-Googled phone.

My main uses are (in order of need):

1. e-mail
2. podcasts
3. SMS/RCS
4. Web browsing/searching
5. Photo taking
6. Cloud file sync
7. Maps
8. NFC/Tap-to-pay

(Ah, I see that /. removed ordered list tags at some point...)

I am assuming that most or all of those things are available on the open platforms. Maybe not the tap-to-pay since those seem to be specific to vendors, but it wouldn't be the end of the world for me if I had to give that one up.

Re:

[serafean]

Podcasts will work as long as its the standard RSS distribution model, not modern custom whatevers...
Cloud sync will work if you set it up. DAV, syncthing and others are your options.
I don't know about maps. Various OSM routers to the rescue I guess.

> NFC/Tap-to-pay

Good thing this is last., it's not possible on FLOSS phones. Banks usually require ARM Secure Enclave to enable that. Plus they build on top of Android/iOS.

Re:

[mspohr]

Braxphone
brax.me

Re:

[serafean]

That's #2 , but preinstalled.
Same as a murena (murena.com) phone.

Re:

[EvilSS]

But if you can't install any apps on the phone (as, per the article, it's the apps, not the underlying OS, spying on you) then why bother with a smart phone in the first place?

Re:

[sarren1901]

You could install the apps while on wifi then keep the phone off the network/cellular service and get most of it's functionality. If the phone isn't connected to a network while you are traveling, then it can't collect data on you.

Re:

[serafean]

Yeah, no, the phones I suggested really can't have most apps.
#2 is limited to f-droid and sideloaded apks
#3,4 is limited to whatever GNOME/KDE programs fit on the screen.

> on wifi then keep the phone off the network/cellular service and get most of it's functionality.

You couldn't even use offline navigation, as you don't have a guarantee the app doesn't tap into location. Depending on how much you trust Android permissions.
It can collect data, and send it later.

Re:

[Deal In One]

Doesn't matter how great your phone is, if you install and app thats spying on you.

In this case it seems it's the apps that were being used to spy on you, not the phone itself.

Re:

[Anonymous Coward]

I'm not a doomsday prepper either. But you can not deny law enforcement uses Facebook to get information on someone. You can't deny China uses smartphones to track activity of their citizens either.

Re:

[sarren1901]

If you post your life on Facebook, you don't believe in privacy anyway. Anyone willingly submitting anything and everything for attention on Facebook clearly doesn't care.

Re:

[sarren1901]

If you sub to spotify, then that's probably true. I just buy all my music off bandcamp. My phone has gigs of mp3s. I connect to my car with bluetooth and use VLC to make playlists of all the songs I want to listen to. Sometimes I just play a folder that I've already categorized.

It's awesome and I'm hoping the artists gets a bigger cut from bandcamp then spotify.

So, doing this, you can get your flip phone for calls and then have your smart phone not connected to the cellular network and still use it as a mus

No exception.

[stooo]

Privacy regulation is needed. Without any exception.

Re:No exception.

[Inglix the Mad]

Privacy regulation is needed. Without any exception.

Privacy regulation and we need to change the way companies are fined, including the leadership.

If a company makes US$1 Billion and get's fined US$5 million, well the fine is just a cost of doing business. On the flip side, if the company is fined 20 percent of income before any taxes, depreciation, or anything else for the first offense, that's a bit more problematic. Even more problematic when the fine rises, if the behavior reoccurs within 20 years, to 40 percent and finally 80 percent with a corporate death penalty. Investors might abandon the company after the second fine.

Wait, there's more...

Since executives, especially CEO's, love to tell us how indispensable they are to the company to justify their high compensation packages they're on the hook. So all company executives are stuck with the same fines as the company, based on their total compensation package. That's everything from pay to stock options to using the corporate jet to housing allowance or assistance. Everything. The fine will double similar to the company fine, 40 percent then 80 percent, but no death penalty. They just cant work as an executive, management, or serve on any board of any company that receives a cent from the government... including if that company owns a majority stake in any company that receives money from the government... for life.

This would be a good start at least.

Re:

[noshellswill]

Haha ! Your list of  corporate/C-suite financial penalties  for privacy violation is very-like  classic ROMAN JUSTICE. You have  however refrained  from  three other features of such justice: namely:
Flog them 'round-the-streets. Decimate survivors. Sell wives and daughters to Saudi whore-houses.
This was the penalty for Roman sentries deserting their posts.  The shoes fits post-mod C-suites very well. 

Re:

[Inglix the Mad]

I don't understand why you think that at all. The C-levels, not me, tell you they deserve their high compensation because they are absolutely indispensable and make the decisions. Well if that's true, and the company breaks the law, then I guess they shouldn't have made that decision.

This isn't rocket science, and I'm not even imprisoning them, simply fining them mate. Now if they break the law so much they get banned for life, it's not my fault it is their fault.

Re:No exception.

[Ormy]

Would your plan improve things? Yes, 100%, no question. Will it ever happen? Nope, 0% chance, never going to happen. The people who write and enact (or block) new laws are the same people (or at least are very friendly with the people) who would be on the hook. Therefore never going to happen, QED.

List of suspected apps?

[HnT]

Is there a more comprehensive list of the suspected apps (and platforms) available?

Re:

[laughingskeptic]

This method targets advertising and the information provided by apps and the browser for the purposes of providing the best and most valuable advertising possible. This company, many others and governments via contracted proxies just participate in this marketplace of information and gather enough information to identify both locations and individuals. You ARE your ad-id interest fingerprint. Many things from your home IP to your smart TV identify your home, your office IP identifies your work. Various

Re: Site name change

[RegistrationIsDumb83]

I'm all for privacy reporting, but there's something ironic about 404 having a free account sign up requirement to read the full article about privacy...

Re:

[fabiomb]

for me its a paywall, i dont even say "free account sign up", my data is my payment, so its a paywall

This is why we need regulation

[Pollux]

I've tried to explain to people why data harvesting is a dangerous thing. The response I typically get is "it's only advertising, what harm is there?" The harm is when the data collectors only care about money and don't give a damn about who they do business with. The scum that trade in personal data are as ruthless as the Ferengi, and they'll sell to marketers and insurance companies and the police and Uncle Sam and the CCP, if the price is right.

Don't be surprised one day when you get a letter from your insurance company saying that your rates are increasing because some app on your phone monitored you and determined that you're an increased risk to insure.

Better yet, can you imagine what life would be like if you get arrested immediately after entering a foreign country, because that country has an extradition treaty with China, who has a warrant for your arrest because you posted a picture of Winnie the Pooh waving a Chinese flag to social media?

Just you wait, because that's what's happening in our Brave New World, unless we regulate this industry.

Re:

[serafean]

And how does it work for you?

I'm down to trying the following:
Every election could be the last election, and the elected power could decide to clean house/country. How do you think you would fare?

I also usually link https://medium.com/@hansdezwar... [medium.com]

The best "getting through" to people on the street I have seen was John Oliver describing it as the "Dick pic" program.

Re:

[penguinoid]

Yeah people say "Hur dur, how will your 2nd Amendment fare against stealth bombers" as if the US would carpet bomb whole cities. No if the US government ever goes full Hitler-Stalin-Skynet the primary weapon they will use against you is your own cell phone/internet history, your contact list, your location history, your idiot friend's history. They'll know whether you're white/diverse, and whether you're a political ally, political enemy, or suspiciously uninvolved in politics. Or the government is fine but

paywalled content

[fabiomb]

cant read, why always linking paywalled content?

404 Media is really Vice's Motherboard

[TigerPlish]

404 is really Vice's defunct Motherboard

Always consider the source when evaluating an article. Who owns the entity, who pays for it, who advertises in it. Try to sniff for bias.

The way 404 gets flogged in /., they come across as muckrakers with an agenda. But then again, this describes all news orgs - muckrakers with an agenda.

https://en.m.wikipedia.org/wiki/404_Media

Re:

[The-Ixian]

They seem to be doing some good reporting though.

Don't load the nonsense apps...

[ole_timer]

...doh...

hundreds of thousands of ordinary apps?

[FudRucker]

so what should i do? a factory reset and not install any third party apps?

Re:

[NotEmmanuelGoldstein]

... third party apps?

Most developers have adopted the adware/spyware model with delight. There are a few no-network applets but they're not in the top-100 list and Google makes a point of hiding which applets access Personally Identifying Information (PII). A Google search for no-network android applets is the answer.

It's a laborious process to click through Google Play listings to check the permissions of each applet and ensure it doesn't access contacts, messages and call history. Next on the ban-list is phone identity a

Take the Shiny Shiny, leave the Contact list

[NotEmmanuelGoldstein]

... smaller, obscure advertising firms ...

People were more interested in the Shiny Shiny than why an applet wanted their contact list and a de facto VPN. It's obvious a flashlight applet wouldn't be sending LOL-cat photos to your grandmother.

to those that know

[kencurry]

Can anyone comment on this activity iOS vs android?

Oh!

[zmollusc]

I was under the impression that phones were themselves a spy tool monitoring billions around the globe. Should I be using thicker tinfoil for my hat?

Re: Oh!

[zmollusc]

'simple binary'? Keep your disgusting outmoded mental health slurs and sexual paradigms to yourself!