See the Thousands of Apps Hijacked To Spy On Your Location

An anonymous reader quotes a report from 404 Media: Some of the world's most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement. The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games likeCandy Crushand dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem -- not code developed by the app creators themselves -- this data collection is likely happening without users' or even app developers' knowledge.

"For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising 'bid stream,'" rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data. The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples' mobile phones.

"This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way," Edwards says. Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps. The list includes dating sites Tinder and Grindr; massive games such asCandy Crush,Temple Run,Subway Surfers, andHarry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo's email client; Microsoft's 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy. 404 Media's full list of apps included in the data can be found here. There are also other lists available from other security researchers.

Spoiler

[Moof123]

Nobody will go to jail or face real consequences for this. Moving on.

Re:Spoiler

[Tony Isaac]

Oh, they all covered themselves legally, by requiring you to opt in before using the apps. There is no doubt all kinds of fine print saying that you agree to share your data with the app maker and "affiliates" of the app maker. An "affiliate" is defined as anybody the company does business with. So no, of course no one will go to jail.

Re:Spoiler

[Brain-Fu]

We have been told that using ad blockers was morally wrong. That we were denying money owed to the app creators. And yet (as was shouted from the "hills" of the Internet by privacy advocates) allowing ads was leaving us vulnerable to abuse. Now, the proof has come out: our privacy was being violated all along.

This shouldn't surprise anyone at all. It was entirely and obviously predictable, given the "wild west" nature of the ad ecosystem.

So, the bottom line is clear: using ad blockers is a smart move and is entirely morally justified by this now-proven abuse of trust on the part of the advertisers.

Re:

[Anonymous Coward]

So, the bottom line is clear: using ad blockers is a smart move and is entirely morally justified by this now-proven abuse of trust on the part of the advertisers.

Sounds like brain damage to me: why on earth should anybody trust people whose job it is to lie for a living?

Re:Spoiler

[penguinoid]

Also, ads are inherently hostile to good content, favoring clickbait fluff.

Re:

[yanyan]

Are there genuine, effective ad blockers for Android that block web browsing ads and in-app ads without carrying malicious code of their own? I feel doing a search on any of the major search engines would return tainted results as this is something advertisers wouldn't want people to know.

Re:

[IWantMoreSpamPlease]

Noroot firewall, very handy program that does exactly what it says. Can fine-tune (if you know what to block out) or blanket deny.

If you like Chrome, there is Kiwi Browser. Allows for all manner of extensions from the chrome store.

Re:

[FudRucker]

âoeThe chrome storeâ??? If you dont trust google or chrome why would you trust the chrome store of extensions

Re:Spoiler

[Morromist]

All this effort to spy on me and do the targeted adds ever seduce me to buy anything? No.
Do they occasionally make me feel hostile to the company delivering obnoxious ads? Yes.

Are these ad companies scamming us by stealing our data and then scamming the companies they are delivering ads for, by pretending those ads actually increase sales and make customers feel good about the company? I don't know but I suspect.

Re:

[nikkipolya]

I too suspect ads do any good. I mostly use Smart Tube Next, but sometimes I am forced to use the Youtube app on firestick which annoys me with ads. And on those rare occasions, I make it a point to avoid buying all the products that interrupted me during the video. I call it "ad vendetta".

Re:

[radarskiy]

"Do they occasionally make me feel hostile to the company delivering obnoxious ads? Yes."

So what you're saying is that if I make an annoying ad that you associate with a competing brand, I can increase my revenue. Thanks!

Re:

[garett_spencley]

I've never been diagnosed, but I suspect that I fall somewhere on the autism spectrum, and those who know me best support and encourage this.

What I've learned through my personal explorations of HFA is that most people think very differently than I and others with HFA.

I agree with every word that you said. But on a personal and subjective level.

A few weeks back my wife and I were driving to a family Christmas gathering, and an annoying advertisement started playing on the radio involving an incredibly obnox

Gee another paywalled article thanks Editors

[blahbooboo2]

Cant read the article to ascertain how much of this is click bait versus real. Sure would be great if the editors could provide us something of use.

Re:Oh look a non-paywalled source!

[blahbooboo2]

Oh look, took me 30 seconds to find a non pay-walled source
Thanks useless Slashdot editors

https://www.wired.com/story/gr... [wired.com]

Re:

[nikkipolya]

Thanks! I had to disable javascript to read the article.

Re:

[nikkipolya]

This is the list: https://docs.google.com/spread... [google.com]

Re:

[radarskiy]

The issue is ad networks tracking you, yet you'll only read about it on ad-sponsored media?

Location data how?

[CNeb96]

The second half of the article is paywalled so I can't see all of it but I don't understand the granularity or source of the location data. Are the ad sites miss-using the apps permissions to call location apis and provide your exact location? Or are we just talking about the ad sites seeing the users IP address? Which is annoying but kind of business as usual for the web. What is the new revelation in this story?

Re:

[Mr. Spock]

Based on the wired article covering this, much of the location data comes from geolocation of ip addresses obtained through malicious use of ad networks.

Re:Location data how?

[mjwx]

Based on the wired article covering this, much of the location data comes from geolocation of ip addresses obtained through malicious use of ad networks.

And this is why I generally refuse to use "apps".

Most apps are just single use web browsers to begin with, the content is still hosted remotely. The only features they provide over using a web site is unblockable ads and slurping your private data... Neither of which are useful to the end user. Sure I paid £0.21 more than you for a burger but now Burger King and their advertisers know you've been looking for a Pokemon butt plug.

Is this news to anyone?

[ukoda]

Ads find their way into any place they can force themselves, and if they can hover up any personal info at the same time they will do so. We have all known this for decades, so how is this news now?

Re:

[coofercat]

What's news to me is the sheer volume of utter shit that people seem to want to 'consume'. I mean, good god, really?

The likes of "Tube Mp3 Mp4 Video Downloader" should have alarm bells ringing all over it. You only install that shit on a burner phone. I was interested to see Daily Mail Online on the list though - for those that don't knwo, the Daily Mail is a wanna-be newspaper here in the UK. It is well known as being utterly unreliable for actual news, yet it still has outrage-bait headlines about immigra

Microsoft selling the location of Gov employee's ?

[johnjones]

Microsoft selling the location of Gov employee's is a big deal if true : listed com.microsoft.office.outlook

pretty sure selling the location would get you kicked out of some contracts

Re:

[DarkOx]

It should be a big deal, on paper it might even be a big deal. The practical reality is nobody seems to care all that much.

https://nyxgeek.wordpress.com/... [wordpress.com]

Not only does Microsoft sell it, they give it away for free. Nyxgeek specifically did not query federal agencies; but if you do on your own you'd quickly discover most of the them failed to make presence information less than public and are also vulnerable to basic user enumeration even when they have. You can find out exactly what hours some really i

use no apps

[codevark]

and don't turn on location.. Res ipsa loquitur!

No ad-supported shitware here!

[ihadafivedigituid]

I checked everything on my iPhone against the list and got no hits--which was no surprise because I don't do ads.

Adtech is evil, kids. Avoid when possible. Install a good ad blocker and crank up to "nuke from orbit". Many websites won't work if you do that, which is a sign you should not be visiting those sites. Don't use Google products. Don't install social media apps!

Re:

[sit1963nz]

100% agree.

Re:

[NotEmmanuelGoldstein]

... websites won't work ...

Many apps won't work if location and internet are disabled: Sometimes it's because the phone doesn't have GPS (for travel & astronomy & 'comfort' settings) but mostly it's because adverts are location-sensitive, so this is an easy way to blackmail cheapskates into selling their privacy.

Re:

[Ormy]

I did the same check, exactly one of my apps is on the list, a shared calendar I use to coordinate with family. But using a DNS filter (e.g. personal DNS filter, available on f-droid) to see all outgoing connection requests, it is trivial to identify the ones used for the calendar itself and ones used for telemetry/tracking/ads and just block those. I've done this for all my apps, beside the privacy benefits it saves a ton on battery usage. If developers ever get wise to this and start serving core conte

Re:

[Kiaser Zohsay]

Add dns.adguard-dns.com to your Private DNS settings in Android. Or use family.adguard-dns.com for blocking adult content as well.

Doing the same for iPhone is ridiculously more complicated than it needs to be.

Flightradar24 is tolerable with ads blocked, but not without.

Re:

[Cyrano de Maniac]

One hit for me -- imgur. I barely ever use the thing, and it's half-busted in certain ways anyway, so that was an easy deletion.

Looking over the list, the easiest way to avoid most of these problems is to not install game apps.

Irony or coincidence?

[ElimGarak000]

Is it irony or coincidence that ads are appearing in my /. feed for the first time, and the checkbox to hide them is nowhere to be seen, and this is the first /. article in my feed today?

Re:

[Malc]

Other than a tiny one up in the top right next to the search box, I see no ads in /. in Safari + AdBlock Plus on my Mac. I see no ads at all on my iPhone with Safari + AdBlock Plus.

What's interesting though is when I was recently on holiday in S. America, /. on my phone was infested with ads. When I turned on my VPN to my OpenVPN server running on a Raspberry Pi on my internet, all the ads vanished. There's definitely an element of location to the number of ads you see on /.

Re:

[Malc]

That should have said: OpenVPN server running on a Raspberry Pi on my home internet connection.

Re:

[ElimGarak000]

My point is that the checkbox that /. gives me to skip loading ads on the site is gone.

Apple and Android both

[FudRucker]

Should make a scanner app to install that lists all the spyware and uses this list as a database, i tried to read the list and it is HUGE,

NetGuard VPN

[jowifi]

Things like this is why I use the NetGuard VPN [netguard.me] app. It allows you to control which apps have access to the internet. For apps that don't need an internet connection for functionality, it seems to be effective at blocking ads in the apps. It also offers capability for some filtering and traffic analysis.