Ads in Thousands of Apps Hijacked to Spy on Your Location ⇥ 404media.co

Joseph Cox, 404 Media:

Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government. The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements, and they are threatening to publish the data publicly.

You remember Gravy Analytics, right? It is the one from the stories and the FTC settlements, though it should not be confused with all the other ones.

Cox, again, 404 Media:

Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps.

The list includes dating sites Tinder and Grindr; massive games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps; various pregnancy trackers; and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.

This location data, some of it more granular than others, appears to be derived from real-time bidding on advertising, much like the Patternz case last year. In linking to — surprise — Cox’s reporting on Patternz, I also pointed to a slowly developing lawsuit against Google. In a filing (PDF) from the plaintiffs, so far untested in court, there are some passages that can help contextualize the scale and scope of real-time bidding data (emphasis mine):

As to the Court’s second concern about the representative nature of the RTB data produced for the plaintiffs (the “Plaintiff data”), following the Court’s Order, Google produced six ten-minute intervals of class-wide RTB bid data spread over a three-year period (2021-2023) (the “Class data”). Further Pritzker Decl., ¶ 17. Prof. Shafiq analyzed this production, encompassing over 120 terabytes of data and almost [redacted] billion RTB bid requests. His analysis directly answers the Court’s inquiry, affirming that the RTB data are uniformly personal information for the plaintiffs and the Class, and that the Plaintiff data is in fact representative of the Class as a whole.

[…]

[…] For the six ten-minute periods of Class data Google produced, Prof. Shafiq finds that there were at least [redacted] different companies receiving the bid data located in at least [redacted] countries, and that the companies included some of the largest technology companies in the world. […]

This is Google, not Gravy Analytics, but still — this entire industry is morally bankrupt. It should not be a radical position that using an app on your phone or browsing the web should not opt you into such egregious violations of basic elements of your privacy.