Major apps worldwide are potentially being exploited by rogue members within the advertising sector to collect sensitive location data extensively, which subsequently is transferred to a location data firm whose subsidiary has previously sold global location data to US law enforcement agencies.
The thousands of apps discovered in hacked files from location data firm Gravy Analytics range from games like Candy Crush to dating apps like Tinder, pregnancy tracking, and religious prayer apps for both Android and iOS. Because much of the data collection occurs through the advertising ecosystem rather than code developed by app creators themselves, it is likely that users or even app developers are unaware of it.
After examining some of the data, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and an avid follower of the location data space, tells 404 Media, “For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising bid stream,” instead of code embedded in the apps themselves.