This week, a hack has brought cybersecurity back into the spotlight, revealing something big. However, the attack wasn’t targeting users, but rather a “data-scraper” company that is harvesting the location of thousands of users and potentially selling it to the highest bidder. The most worrying part is that the company is getting the location data from smartphone apps without the developers being aware of it.
Gravy Analytics getting location data from millions of smartphones through popular apps
A hacker group breached Gravy Analytics, a firm focused on collecting location data. In the past, Gravy has been caught selling information to government organizations. The firm hasn’t been harvesting the data by trojanizing apps or hacking the code. The company has chosen to exploit the advertising ecosystem so prevalent in smartphone apps. More specifically, they are taking advantage of the real-time bidding (RTB) system that dominates the segment today. This also means that app developers have no say in the process. So, the vast majority weren’t even aware that something like this was happening.
RTB is a system where companies bid to have their ads visible in apps. This also means that data brokers can “watch” the process, keeping the location data of smartphone users if they want. The report from 404 Media and Wired says that millions of users in the US, Russia, and Europe are affected.
Stolen location data is from 2024, clues suggest
It’s not yet clear if Gravy is the main player in stealing user data. It’s also possible that they get the data from other firms. The RTB system allows malicious companies to obtain location data by posing as potential advertisers. They can start gathering data simply by accessing bidding platforms or acquiring other ad tech companies. Gravy has a subsidiary called Venntel. The latter is the company that deals directly with US government agencies for the sale of location data. They also sell the data to more traditional commercial companies.
Some clues suggest that the discovered data is from last year. Call of Duty: Mobile is among the affected apps, and the hack showed that Gravy collected user data from the “Season 5” update. That update arrived in May 2024. Plus, the data is not being obtained from the smartphones’ GPS, but through their IP address. This helped the company’s practices go even further unnoticed.
Apps affected by Gravy’s practices
There’s a massive list of around 12,000 apps affected by Gravy’s location data scraping. While it’s impossible to list them all, there are some that stand out for their popularity or niche. The list includes Tinder, Grindr, My Period Calendar & Tracker, MyFitnessPal, Tumblr, Yahoo Mail, Microsoft 365, Flightradar24, Moovit, Muslim Pro, and Christian Bible, among others. Popular games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells were also affected. The full list also includes many VPN apps and pregnancy trackers.
Most of the affected app developers did not comment on the findings. However, the developers of Flightradar24, Tinder, Grindr, and Muslim Pro claim they have nothing to do with Gravy or have never even heard of the company. The issue affects apps on both Android and iOS devices. That said, neither Google nor Apple have issued a statement on the matter yet.
