Cybercrimes are no stranger in modern society because they appear throughout multiple industrial sectors. The disaster from the breach became visible because what hackers exposed rather than the security hack itself.
The hackers from a group declared their successful database breach of "Gravy Analytics" during the morning hours of January 7th in this year. The cybercriminals provided details of the obtained data revealing user location tracking data with highly specific movement information. Thousands of well-known applications including "Candy Crush," "Tinder," the pregnancy tracker and religious products from both "Apple" and "Google" stores contributed tracking information to the discovered database.
The announcement created worldwide protest because "Gravy Analytics" operates Venntel which sold sensitive location tracking data to security agencies throughout the United States including the National Security Agency and Federal Bureau of Investigation. Gravy Analytics together with its subsidiaries maintains open availability to sell tracking and location data world-wide to any firm capable of making payments.
The disclosure exposed "Gravy Analytics" which operates as the world's biggest data brokerage and sales organization because the company employed unauthorized techniques to obtain and store the data. The attention of the world moved from the security breach toward the operations behind the location data acquisition and distribution to businesses.
How did "Gravy Analytics" collect user location data?
People need to understand the full extent of "Gravy Analytics'" disaster by evaluating how the company acquired location data compared to standard documentation methods. Companies accessed precise smartphone GPS data by writing programming codes which could read the GPS sensors installed on mobile devices. Applications that do not need location data exclude the programming codes that would collect it.
The data limitation proved difficult for marketing organizations to handle since they needed to access sufficient data for their work. To acquire location data these companies developed a different method that resulted in "Gravey Analytics" becoming involved.
Advertising platforms helped the company obtain highly precise data regarding user geographical positions. Companies track user phone locations to determine the precise locations where their ads appear and thus create an accurate breakdown of routes as well as location data. The data logs of these sensitive sites such as religious institutions and healthcare offices and ethnically themed gatherings become available for customers interested in accessing them. The data collection happened through Real-Time Bidding systems which used location information to modify advertisement values.
Security experts who analyzed the leaked data identified the advertising network maintained by Google as the primary suspect responsible for data collection according to their analysis.
Public agencies together with intelligence services serve as the biggest customers of such companies who utilize data to monitor user details and track specified phones.
Researchers at The Washington Post revealed the details of these companies through their characterization as "location data brokers" during 2023. These companies serve major intelligence agencies who operate in the United States and France along with India.
Why all the fuss?
Data brokers breach user privacy by accessing device locations amid a global practice of location data collection but positions themselves as a dangerous risk factor for users. The relevant insight comes from an interview between Wired and cyber security expert Zack Edwards.
Edwards labeled this privacy scandal as a worldwide nightmare since the data collection process was stealthy while remaining inadequately protected.
Typical application procedures require user consent for sensing location information with their devices' sensors though customers typically understand this process. The case with "Gravy Analytics" differs completely from the standard method. Advertising networks operated by the company delivered promotional ads through applications which never asked to access user location data.
The collected data went through storage before any willing buyer could obtain it by making a payment. The data selling operation through "Gravy Analytics" occurred indirectly through its business subsidiaries which maintained client interactions with users.
Hundreds of millions of phone positions from four continents including the United States, Russia and Europe existed within the data publications. The document revealed which applications provided the data collection with their names being among standard applications present on user mobile devices.
Several Apps with No Need for Location Data
Many apps retrieved location data though their basic functionality operated without the requirement since their main purpose was to deliver location-based advertisements. A leaked version of the stolen data confirmed that the number of applications involved in this crisis exceeded 12,000 applications.
The compilation of exposed applications includes popular releases such as "Candy Crush," "Temple Run," "Subway Surfers," "Call of Duty" for mobile, "MyFitnessPal" for tracking meals and workouts, "Tumblr," Yahoo's email app, Microsoft 365, "Muslim Prayers," and multiple VPN apps.
The analyzed applications specifically declared their systems prevent advertisers from accessing user locations. The apps maintain their responsibility to the situation even though their statements do not officially commit to it. The "Muslim Pro" app served as one of the victims in the data incident even though it earlier sold user location data to a U.S. security company.
Who buys this data?
Thousands of worldwide entities pay large amounts to obtain this data for their use. Wired reported that "Gravy Analytics" made data sales to numerous U.S. divisions starting with the IRS followed by immigration services and including Homeland Security and other government agencies through its subsidiaries.
There exist more entities that participate in data acquisition besides these listed. The location data tracking company Patterns participated in selling user location information to clients. These organizations collected location data from the popular applications "9GAG, KiK and Truecaller." amu.com and kiwi.com are among the list of applications discovered within the Gravy Analytics data leak.
What’s the next step?
Analysis of future scenarios after this data leak proves difficult because multiple concerns affect the situation. Location data acquired by advertising networks subsequently gets transferred to companies before being distributed to government agencies while data breaches and theft incidents lead to the unauthorized selling of acquired information.
The current situation prevents anyone from obstructing access to this data. Securing all mobile advertising networks remains challenging while companies have demonstrated no readiness to modify their business models to discard advertising-based profits. Businesses operating in the mobile market that suffered from the leak include key software providers like "Yahoo" alongside "Microsoft."
The Federal Trade Commission issued a ruling to prohibit Venntel and Gravy Analytics from both selling and maintaining sensitive location data stored in their databases. This measure aims to decrease future leaked data but cannot stop all incidents.
