Recent reports reveal that rogue elements within the advertising industry are potentially exploiting some of the world’s most well-known applications to extract sensitive geolocation information on a large scale. This data is reportedly ending up with a location data firm, Gravy Analytics, known to have previously sold this information to U.S. law enforcement agencies.
The compromised data encompasses thousands of applications, ranging from popular mobile games like Candy Crush to dating platforms such as Tinder, and even applications centered around pregnancy tracking and religious practices, utilized on both Android and iOS devices. The current concern arises from the fact that much of this data collection appears to be occurring through the advertising framework, rather than through code developed by the app creators themselves. This raises significant privacy issues as many users, as well as app developers, may be unaware that such collection is taking place.
Zach Edwards, a senior threat analyst at cybersecurity forensics firm Silent Push, indicated that this situation marks a troubling development in data brokerage. He pointed out that evidence suggests one of the largest data brokers is securing their data not from the applications directly but from the online advertising “bid stream”. This method deviates from traditional practices, where location data firms would pay app developers to include specific code for data collection, thereby potentially circumventing user consent.
The implications of this data extraction process are profound, as it provides a unique insight into the mechanics of real-time bidding in the digital advertising ecosystem. While convenience in ad placement has driven many companies to seek location information through this bidding system, it also allows data brokers access to users’ location data without transparency, effectively eavesdropping on the data process.
From a privacy perspective, this breach represents a significant threat. Edwards emphasized the gravity of the situation, noting that the data leak includes millions of geolocation coordinates from mobile devices located in the U.S., Russia, and several European countries, many of which accompany app identifiers. Security researchers have since compiled extensive lists of the affected apps, which include high-profile platforms like Tinder, Grindr, and various fitness and pregnancy tracking applications.
Although the dataset emerged from a suspected breach of Gravy Analytics, the exact source of the location data remains ambiguous. It is unclear whether Gravy collected this data in-house or sourced it from third-party companies, and it is unknown which entity ultimately retains ownership or licensing rights over this critical data.
This incident highlights potential vulnerabilities that could align with tactics and techniques outlined in the MITRE ATT&CK framework, such as initial access and persistence, as adversaries may utilize advertising networks to infiltrate and sustain their data collection efforts. As the digital landscape continues to evolve, the need for heightened awareness and robust security measures becomes increasingly critical for businesses relying on app-based ecosystems. Understanding these tactics is essential for tech-savvy business owners aiming to safeguard their operations from similar cyber threats in the future.
