See the Thousands of Apps Hijacked To Spy On Your Location

An anonymous reader quotes a report from 404 Media: Some of the world's most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement. The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games likeCandy Crushand dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem -- not code developed by the app creators themselves -- this data collection is likely happening without users' or even app developers' knowledge.

"For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising 'bid stream,'" rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data. The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples' mobile phones.

"This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way," Edwards says. Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps. The list includes dating sites Tinder and Grindr; massive games such asCandy Crush,Temple Run,Subway Surfers, andHarry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo's email client; Microsoft's 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy. 404 Media's full list of apps included in the data can be found here. There are also other lists available from other security researchers.

Spoiler

[Moof123]

Nobody will go to jail or face real consequences for this. Moving on.

Re:Spoiler

[Tony Isaac]

Oh, they all covered themselves legally, by requiring you to opt in before using the apps. There is no doubt all kinds of fine print saying that you agree to share your data with the app maker and "affiliates" of the app maker. An "affiliate" is defined as anybody the company does business with. So no, of course no one will go to jail.

Re:Spoiler

[Brain-Fu]

We have been told that using ad blockers was morally wrong. That we were denying money owed to the app creators. And yet (as was shouted from the "hills" of the Internet by privacy advocates) allowing ads was leaving us vulnerable to abuse. Now, the proof has come out: our privacy was being violated all along.

This shouldn't surprise anyone at all. It was entirely and obviously predictable, given the "wild west" nature of the ad ecosystem.

So, the bottom line is clear: using ad blockers is a smart move and is entirely morally justified by this now-proven abuse of trust on the part of the advertisers.

Re:

[Anonymous Coward]

So, the bottom line is clear: using ad blockers is a smart move and is entirely morally justified by this now-proven abuse of trust on the part of the advertisers.

Sounds like brain damage to me: why on earth should anybody trust people whose job it is to lie for a living?

Re:Spoiler

[penguinoid]

Also, ads are inherently hostile to good content, favoring clickbait fluff.

Re:

[Morromist]

All this effort to spy on me and do the targeted adds ever seduce me to buy anything? No.
Do they occasionally make me feel hostile to the company delivering obnoxious ads? Yes.

Are these ad companies scamming us by stealing our data and then scamming the companies they are delivering ads for, by pretending those ads actually increase sales and make customers feel good about the company? I don't know but I suspect.

Gee another paywalled article thanks Editors

[blahbooboo2]

Cant read the article to ascertain how much of this is click bait versus real. Sure would be great if the editors could provide us something of use.

Re:Oh look a non-paywalled source!

[blahbooboo2]

Oh look, took me 30 seconds to find a non pay-walled source
Thanks useless Slashdot editors

https://www.wired.com/story/gr... [wired.com]

Location data how?

[CNeb96]

The second half of the article is paywalled so I can't see all of it but I don't understand the granularity or source of the location data. Are the ad sites miss-using the apps permissions to call location apis and provide your exact location? Or are we just talking about the ad sites seeing the users IP address? Which is annoying but kind of business as usual for the web. What is the new revelation in this story?

Re:

[Mr. Spock]

Based on the wired article covering this, much of the location data comes from geolocation of ip addresses obtained through malicious use of ad networks.

Is this news to anyone?

[ukoda]

Ads find their way into any place they can force themselves, and if they can hover up any personal info at the same time they will do so. We have all known this for decades, so how is this news now?

Microsoft selling the location of Gov employee's ?

[johnjones]

Microsoft selling the location of Gov employee's is a big deal if true : listed com.microsoft.office.outlook

pretty sure selling the location would get you kicked out of some contracts

use no apps

[codevark]

and don't turn on location.. Res ipsa loquitur!

No ad-supported shitware here!

[ihadafivedigituid]

I checked everything on my iPhone against the list and got no hits--which was no surprise because I don't do ads.

Adtech is evil, kids. Avoid when possible. Install a good ad blocker and crank up to "nuke from orbit". Many websites won't work if you do that, which is a sign you should not be visiting those sites. Don't use Google products. Don't install social media apps!

Re:

[sit1963nz]

100% agree.

Re:

[NotEmmanuelGoldstein]

... websites won't work ...

Many apps won't work if location and internet are disabled: Sometimes it's because the phone doesn't have GPS (for travel & astronomy & 'comfort' settings) but mostly it's because adverts are location-sensitive, so this is an easy way to blackmail cheapskates into selling their privacy.