Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Privacy

See the Thousands of Apps Hijacked To Spy On Your Location (404media.co) 37

Posted by BeauHD from the would-you-look-at-that dept.
An anonymous reader quotes a report from 404 Media: Some of the world's most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement. The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games likeCandy Crushand dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem -- not code developed by the app creators themselves -- this data collection is likely happening without users' or even app developers' knowledge.

"For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising 'bid stream,'" rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data. The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples' mobile phones.

"This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way," Edwards says. Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps. The list includes dating sites Tinder and Grindr; massive games such asCandy Crush,Temple Run,Subway Surfers, andHarry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo's email client; Microsoft's 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy. 404 Media's full list of apps included in the data can be found here. There are also other lists available from other security researchers.

See the Thousands of Apps Hijacked To Spy On Your Location More | Reply

See the Thousands of Apps Hijacked To Spy On Your Location

Comments Filter:

  • Spoiler (Score:5, Insightful)

    by Moof123 ( 1292134 ) on Thursday January 09, 2025 @10:50PM (#65077129)

    Nobody will go to jail or face real consequences for this. Moving on.

    • Re:Spoiler (Score:4)

      by Tony Isaac ( 1301187 ) on Thursday January 09, 2025 @11:41PM (#65077181) Homepage

      Oh, they all covered themselves legally, by requiring you to opt in before using the apps. There is no doubt all kinds of fine print saying that you agree to share your data with the app maker and "affiliates" of the app maker. An "affiliate" is defined as anybody the company does business with. So no, of course no one will go to jail.

    • Re:Spoiler (Score:5, Insightful)

      by Brain-Fu ( 1274756 ) on Thursday January 09, 2025 @11:42PM (#65077185) Homepage Journal

      We have been told that using ad blockers was morally wrong. That we were denying money owed to the app creators. And yet (as was shouted from the "hills" of the Internet by privacy advocates) allowing ads was leaving us vulnerable to abuse. Now, the proof has come out: our privacy was being violated all along.

      This shouldn't surprise anyone at all. It was entirely and obviously predictable, given the "wild west" nature of the ad ecosystem.

      So, the bottom line is clear: using ad blockers is a smart move and is entirely morally justified by this now-proven abuse of trust on the part of the advertisers.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        So, the bottom line is clear: using ad blockers is a smart move and is entirely morally justified by this now-proven abuse of trust on the part of the advertisers.

        Sounds like brain damage to me: why on earth should anybody trust people whose job it is to lie for a living?

      • Re:Spoiler (Score:5, Insightful)

        by penguinoid ( 724646 ) on Friday January 10, 2025 @12:46AM (#65077239) Homepage Journal

        Also, ads are inherently hostile to good content, favoring clickbait fluff.

      • Re: (Score:3)

        by yanyan ( 302849 )

        Are there genuine, effective ad blockers for Android that block web browsing ads and in-app ads without carrying malicious code of their own? I feel doing a search on any of the major search engines would return tainted results as this is something advertisers wouldn't want people to know.

        • Noroot firewall, very handy program that does exactly what it says. Can fine-tune (if you know what to block out) or blanket deny.

          If you like Chrome, there is Kiwi Browser. Allows for all manner of extensions from the chrome store.

          • âoeThe chrome storeâ??? If you dont trust google or chrome why would you trust the chrome store of extensions

    • Re:Spoiler (Score:5, Interesting)

      by Morromist ( 1207276 ) on Friday January 10, 2025 @12:23AM (#65077213)

      All this effort to spy on me and do the targeted adds ever seduce me to buy anything? No.
      Do they occasionally make me feel hostile to the company delivering obnoxious ads? Yes.

      Are these ad companies scamming us by stealing our data and then scamming the companies they are delivering ads for, by pretending those ads actually increase sales and make customers feel good about the company? I don't know but I suspect.

      • I too suspect ads do any good. I mostly use Smart Tube Next, but sometimes I am forced to use the Youtube app on firestick which annoys me with ads. And on those rare occasions, I make it a point to avoid buying all the products that interrupted me during the video. I call it "ad vendetta".

      • "Do they occasionally make me feel hostile to the company delivering obnoxious ads? Yes."

        So what you're saying is that if I make an annoying ad that you associate with a competing brand, I can increase my revenue. Thanks!

  • Cant read the article to ascertain how much of this is click bait versus real. Sure would be great if the editors could provide us something of use.

  • Location data how? (Score:3)

    by CNeb96 ( 60366 ) on Thursday January 09, 2025 @11:23PM (#65077159)

    The second half of the article is paywalled so I can't see all of it but I don't understand the granularity or source of the location data. Are the ad sites miss-using the apps permissions to call location apis and provide your exact location? Or are we just talking about the ad sites seeing the users IP address? Which is annoying but kind of business as usual for the web. What is the new revelation in this story?

    • Re: (Score:3, Informative)

      by Mr. Spock ( 25061 )

      Based on the wired article covering this, much of the location data comes from geolocation of ip addresses obtained through malicious use of ad networks.

      • Re: (Score:3)

        by mjwx ( 966435 )

        Based on the wired article covering this, much of the location data comes from geolocation of ip addresses obtained through malicious use of ad networks.

        And this is why I generally refuse to use "apps".

        Most apps are just single use web browsers to begin with, the content is still hosted remotely. The only features they provide over using a web site is unblockable ads and slurping your private data... Neither of which are useful to the end user. Sure I paid £0.21 more than you for a burger but now Burger King and their advertisers know you've been looking for a Pokemon butt plug.

  • Ads find their way into any place they can force themselves, and if they can hover up any personal info at the same time they will do so. We have all known this for decades, so how is this news now?

    • What's news to me is the sheer volume of utter shit that people seem to want to 'consume'. I mean, good god, really?

      The likes of "Tube Mp3 Mp4 Video Downloader" should have alarm bells ringing all over it. You only install that shit on a burner phone. I was interested to see Daily Mail Online on the list though - for those that don't knwo, the Daily Mail is a wanna-be newspaper here in the UK. It is well known as being utterly unreliable for actual news, yet it still has outrage-bait headlines about immigra

  • Microsoft selling the location of Gov employee's ? (Score:5, Interesting)

    by johnjones ( 14274 ) on Thursday January 09, 2025 @11:38PM (#65077179) Homepage Journal

    Microsoft selling the location of Gov employee's is a big deal if true : listed com.microsoft.office.outlook

    pretty sure selling the location would get you kicked out of some contracts

    • Re: (Score:2)

      by DarkOx ( 621550 )

      It should be a big deal, on paper it might even be a big deal. The practical reality is nobody seems to care all that much.

      https://nyxgeek.wordpress.com/... [wordpress.com]

      Not only does Microsoft sell it, they give it away for free. Nyxgeek specifically did not query federal agencies; but if you do on your own you'd quickly discover most of the them failed to make presence information less than public and are also vulnerable to basic user enumeration even when they have. You can find out exactly what hours some really i

  • and don't turn on location.. Res ipsa loquitur!

  • No ad-supported shitware here! (Score:3)

    by ihadafivedigituid ( 8391795 ) on Friday January 10, 2025 @12:32AM (#65077225)
    I checked everything on my iPhone against the list and got no hits--which was no surprise because I don't do ads.

    Adtech is evil, kids. Avoid when possible. Install a good ad blocker and crank up to "nuke from orbit". Many websites won't work if you do that, which is a sign you should not be visiting those sites. Don't use Google products. Don't install social media apps!
    • 100% agree.

    • ... websites won't work ...

      Many apps won't work if location and internet are disabled: Sometimes it's because the phone doesn't have GPS (for travel & astronomy & 'comfort' settings) but mostly it's because adverts are location-sensitive, so this is an easy way to blackmail cheapskates into selling their privacy.

    • Re: (Score:3)

      by Ormy ( 1430821 )
      I did the same check, exactly one of my apps is on the list, a shared calendar I use to coordinate with family. But using a DNS filter (e.g. personal DNS filter, available on f-droid) to see all outgoing connection requests, it is trivial to identify the ones used for the calendar itself and ones used for telemetry/tracking/ads and just block those. I've done this for all my apps, beside the privacy benefits it saves a ton on battery usage. If developers ever get wise to this and start serving core conte

    • One hit for me -- imgur. I barely ever use the thing, and it's half-busted in certain ways anyway, so that was an easy deletion.

      Looking over the list, the easiest way to avoid most of these problems is to not install game apps.

  • Irony or coincidence? (Score:4, Interesting)

    by ElimGarak000 ( 9327375 ) on Friday January 10, 2025 @06:17AM (#65077533)
    Is it irony or coincidence that ads are appearing in my /. feed for the first time, and the checkbox to hide them is nowhere to be seen, and this is the first /. article in my feed today?

    • Re: (Score:2)

      by Malc ( 1751 )

      Other than a tiny one up in the top right next to the search box, I see no ads in /. in Safari + AdBlock Plus on my Mac. I see no ads at all on my iPhone with Safari + AdBlock Plus.

      What's interesting though is when I was recently on holiday in S. America, /. on my phone was infested with ads. When I turned on my VPN to my OpenVPN server running on a Raspberry Pi on my internet, all the ads vanished. There's definitely an element of location to the number of ads you see on /.

  • Apple and Android both (Score:3)

    by FudRucker ( 866063 ) on Friday January 10, 2025 @08:38AM (#65077743)
    Should make a scanner app to install that lists all the spyware and uses this list as a database, i tried to read the list and it is HUGE,

Slashdot Top Deals

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Close