A hot potato: Thousands of popular mobile apps across Android and iOS are allegedly being exploited to harvest sensitive location data on an unprecedented scale. This data collection, occurring through the advertising ecosystem, is likely happening without the knowledge of users or even app developers themselves.
The information comes from hacked files belonging to Gravy Analytics, a location data company whose subsidiary, Venntel, has previously sold global location data to US law enforcement agencies. This information was reported by Wired, which collaborated with 404 Media to produce the story.
The data breach has exposed a sprawling network of apps, ranging from popular games like Candy Crush to dating apps such as Tinder and Grindr. It also includes sensitive categories such as pregnancy tracking and religious prayer apps.
“For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising ‘bid stream,’ rather than code embedded into the apps themselves,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, told 404 Media.
This revelation sheds light on the world of real-time bidding (RTB), a process where companies bid to place ads inside apps. However, this system has a dangerous side effect: data brokers can intercept this process and harvest the location data of mobile phone users.
Edwards described this as “a nightmare scenario for privacy,” adding that “there’s some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way.”
The scale of this data collection is staggering. The hacked Gravy data includes tens of millions of mobile phone coordinates from devices in the United States, Russia, and Europe. The list of affected apps is extensive, covering a wide range of categories including social networks, fitness trackers, email clients, and even VPN apps that users may have downloaded in an attempt to protect their privacy.
Although the data breach appears to involve Gravy Analytics, it remains unclear whether Gravy collected this location data itself or obtained it from another source. The dataset, which dates to 2024, offers a rare glimpse into the opaque world of the location data industry.
Gravy Analytics plays a pivotal role in this ecosystem, aggregating mobile phone location data from various sources and selling it to commercial entities or government agencies via its subsidiary, Venntel. Previous investigations revealed that Venntel’s clients include several U.S. government agencies, such as Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), the IRS, the FBI, and the DEA.
The implications of this data collection are far-reaching, raising serious privacy concerns and highlighting the potential for this data to be used in ways that users never intended or consented to. For instance, 404 Media and other outlets previously demonstrated how a tool called Locate X, powered by Venntel’s data, could be used to monitor visitors to out-of-state abortion clinics.
Most app developers and companies included in the list did not respond to requests for comment. However, Flightradar24 stated in an email that it had never heard of Gravy but acknowledged displaying ads to “help keep Flightradar24 free.”
Tinder denied any relationship with Gravy Analytics, while Muslim Pro, one of the affected prayer apps, claimed it does not authorize ad networks to collect location data of its users.
The discovery that this data appears to originate from real-time bidding is particularly significant. It shifts accountability toward rogue actors in the advertising industry and the tech giants that facilitate it. It also suggests that many major app publishers may be unaware their users’ data is being harvested, making it difficult for them to take preventive measures.
Krzysztof Franaszek, founder of digital forensics firm Adalytics, reviewed the leaked data and observed that “at least some of this data would likely have been sourced from advertising-related real-time bidding.” He noted evidence that Google’s advertising platform is serving some of the ads that enable this tracking by outside companies, including potential government contractors.
The FTC has recently taken action against similar practices. In December, the agency banned location data company Mobilewalla from collecting consumer data “from online advertising auctions for purposes other than participating in those auctions.” The FTC also ordered Venntel and Gravy Analytics to delete historical location data and barred them from selling data related to sensitive areas, such as health clinics and places of worship, except under limited circumstances.
