Hackers Claim Massive Breach of Location Data Giant (Gravy Analytics), Threaten to Leak

Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government. The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements, and they are threatening to publish the data publicly.

The samples of data posted by the hackers include the apparent historical location of smartphones. The files contain precise latitude and longitude coordinates of the phone, and the time at which the phone was there. Some screenshots indicate what country the data has been collected from. One alphabetically ordered list mentions Mexico, Morocco, Netherlands, North Korea, Pakistan, and “Palestinian State (proposed).” That is only a snapshot of where Gravy sourced data from; one file includes location data relating to phones in Russia, and U.S. agencies have previously used such data as part of immigration operations on the country’s border. (Gravy provides some of its data to subsidiary Venntel, which then works directly with those and other agencies).

Another screenshot shows classifiers that Gravy has added to collected data, such as “LIKELY_DRIVING.”

1 Like

Candy Crush, Tinder, MyFitnessPal: See the thousands of apps hijacked to spy on your location

A hack of location data company Gravy Analytics has revealed which apps are—knowingly or not—being used to collect your information behind the scenes.

Source:
https://bsky.app/profile/404media.co/post/3lfdm7xcgc222

2 Likes

I would assume potential mitigations of this could be done with various tracker blocking DNS providers and/or Pi-hole? I know some apps bypass that using their own DoT or DoH.

Thanks for the link, just found another post from 404Media providing WIRED version of the same report (which is not paywalled)

1 Like

From what I can find, Private DNS is quite robust and apps shouldn’t be able to bypass private DNS, unless they embed IP address in their app in case the DNS query got refused, some apps do that, e.g. WeChat (I learnt this when I was setting up Private DNS for someone).

1 Like

From the blocklists I’m using only HaGeZi - Multi PRO++ seems to block gravy analytics.

Highly recommended list.

4 Likes

You can use Rethink DNS app on android to firewall apps that try to bypass your custom DNS.


The solution to this imo is to use better apps. Tinder, Candy Crush, etc. are known “bad” apps.

1 Like

The WIRED article links to a Google sheet with 12,372 listed apps affected. That’s quite a lot.

The full list can be found here. Multiple security researchers have published other lists of apps included in the data, of varying sizes.

1 Like

Don’t see any of the apps I use :person_shrugging:

Mostly seems to be full of dubious copy paste low quality apps, so I don’t think 12,000 or whatever is significant at all. There are lots of shitty apps out there, doesn’t mean you can’t filter for bad ones easily.

I mean I know what to use between Proton VPN and “Free Japan VPN: 100% Private!!!” :laughing:

1 Like

AFAIK there are certain traffic bypasses VPN, but not private DNS, therefore prob. utilising private DNS would be better in this case.

But it is certainly better just to use better apps.

Perhaps it shouldn’t come as a surprise, but it seems to me that many of these apps are blatantly lying in the ‘Data safety’ category on the Google Play Store. I would honestly expect Google to at least take action when these apps when they are caught lying. For example:

Table of Top 10 Apps on List with Third-Party Location Sharing Disclosure(s)
App Name Package Ion Third-Party Location Sharing
Weather & Radar de.wetteronline.wetterapp 360977 Approximate location: Analytics, Advertising or marketing Precise location: Advertising or marketing
Block Blast! com.block.juggle 212608 No data shared with third parties
Candy Crush Saga com.king.candycrushsaga 175503 Approximate location: Advertising or marketing
Happy Color®: Coloring Book com.pixel.art.coloring.color.number 120648 Approximate location: Analytics, Advertising or marketing, Fraud prevention, security, and compliance
Words of Wonders: Crossword com.fugo.wow 78771 No location data shared with third parties
Vita Mahjong com.vitastudio.mahjong 68649 No data shared with third parties
Number Match - Number Games com.easybrain.number.puzzle.game 68320 Approximate location: Analytics, Advertising or marketing, Fraud prevention, security, and compliance
Mahjong Club - Solitaire Game com.gamovation.mahjongclub 51093 Approximate location: Analytics, Advertising or marketing, Personalization
QBlock: Wood Block Puzzle Game puzzle.blockpuzzle.cube.relax 42668 No data shared with third parties
Woodle Screw Jam: Nuts & Bolts com.wood.bolt.wordle.screw.nuts.puzzle 42367 No location data shared with third parties

Given that Gravy Analytics is a location tracking company, it seems to me that as many as 50% of the top ten apps on this list are potentially lying about the fact that they are sharing location data with third-parties.

I suspect the same is true for the iOS AppStore equivalent (Developer’s Privacy self attestation).

Even Apple acknowledges they don’t verify what the Developer attests to:

The developer indicated that the app’s privacy practices may include handling of data as described below. This information has not been verified by Apple. For more information, see the developer’s privacy policy.

To help you better understand the developer’s responses, see Privacy Definitions and Examples.

Privacy practices may vary, for example, based on the features you use or your age.