A data breach has revealed that thousands of popular mobile apps on Android and iOS have been exploited to harvest sensitive location data on an unprecedented scale. The breach exposes how real-time bidding (RTB) ad networks are being manipulated by data brokers, raising significant privacy concerns for users worldwide.
The information comes from hacked files belonging to Gravy Analytics, a location data company that aggregates mobile phone location data and sells it through its subsidiary, Venntel, to commercial clients and government agencies. According to the report by Wired, which collaborated with 404 Media, the data breach shows how location data from apps like Tinder, Candy Crush, and Grindr is being collected without users’ knowledge.
How the Data Was Collected
The data was not collected through embedded code in apps but rather through real-time bidding (RTB), a process in which companies bid to place ads inside mobile apps. However, this process has a dangerous side effect: data brokers can intercept and harvest user location data during the bidding process.
“For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising ‘bid stream,’ rather than code embedded into the apps themselves,” said Zach Edwards, senior threat analyst at cybersecurity firm Silent Push.
This revelation highlights a significant flaw in the digital advertising ecosystem, where real-time ad placements allow third parties to access sensitive location data. Hackers exploiting this system can obtain precise mobile phone coordinates, including data from health clinics, religious sites, and sensitive locations.
The Scale and Impact of the Breach
The hacked Gravy Analytics data includes tens of millions of mobile phone coordinates from devices across the United States, Russia, and Europe. The affected apps span a wide range of categories, from social networks and fitness trackers to email clients and even VPN apps that users download to protect their privacy.
Among the most concerning findings is that sensitive apps, such as pregnancy tracking and prayer apps, were also implicated in the data harvesting. For example, Muslim Pro, a popular prayer app, denied authorizing ad networks to collect user location data. Flightradar24, another affected app, stated that it had never heard of Gravy Analytics but acknowledged using ads to keep the app free.
The location data industry is notoriously opaque, and the breach offers a rare glimpse into how data brokers acquire and sell user data. Gravy Analytics has sold data to Venntel, which counts several U.S. government agencies as clients, including Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), the IRS, the FBI, and the DEA.
Privacy Implications and Accountability
This breach raises serious concerns about user privacy and the lack of transparency in the location data industry. The real-time bidding process has become a weak point in digital privacy protections, allowing data brokers to harvest location data without the knowledge of app developers or users.
“There’s some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way,” Edwards told 404 Media. He described the current situation as a “nightmare scenario for privacy”.
The Federal Trade Commission (FTC) has taken action against similar practices in the past. In December 2024, the FTC banned Mobilewalla, a location data company, from collecting consumer data from online ad auctions for purposes beyond those necessary for the auctions. The FTC also ordered Venntel and Gravy Analytics to delete historical location data and stop selling data from sensitive areas, such as health clinics and places of worship.
However, the advertising industry’s reliance on real-time bidding continues to pose a significant risk. Krzysztof Franaszek, founder of digital forensics firm Adalytics, reviewed the leaked data and observed that some of it was likely sourced from Google’s ad platform, which serves the ads that enable this tracking.
A Wake-Up Call for the Ad Tech Industry
The discovery that mobile apps are being exploited to harvest sensitive location data through real-time bidding is a wake-up call for the ad tech industry. Companies that manage ad platforms need to take responsibility and proactively address security flaws in their systems to protect user privacy.
The hacked Gravy Analytics files show just how much location data is being collected and sold without users’ knowledge. As cybersecurity experts warn, other data brokers may be using similar tactics to intercept sensitive data, posing a significant threat to user privacy.
For users, this breach highlights the importance of understanding how mobile apps handle their data and being aware of the risks posed by real-time bidding systems.
