Thousands of popular mobile apps and games, including Candy Crush, Temple Run, and Subway Surfers, have been implicated in a large-scale collection of user location data—often without the knowledge of users or even the app developers. According to a recent study, this data is funneled to Gravy Analytics, which subsequently provides it to commercial clients and government agencies.
Hackers exposed files from Gravy Analytics, revealing that apps ranging from games and social networks to health trackers inadvertently share user location data through advertising networks. This collection operates via the advertising ecosystem rather than embedded app code, rendering it invisible to both users and developers.
Apps named in the leak include Tinder, Grindr, Candy Crush, Temple Run, Subway Surfers, MyFitnessPal, prayer apps, VPN services, and even productivity tools. The data obtained through advertising networks encompasses IP addresses, which are used to estimate the approximate location of devices. In some cases, the information was reportedly extracted through the Google Mobile Ads SDK platform.
Gravy Analytics, via its subsidiary Venntel, collaborates with U.S. government agencies such as the FBI and Immigration and Customs Enforcement (ICE), selling them user movement data. The company has previously faced criticism for opaque business practices. Meanwhile, the U.S. Federal Trade Commission has banned another company, Mobilewalla, from using advertising auction data for third-party purposes.
Cybersecurity experts warn that this situation poses a significant threat to user privacy. Gravy Analytics may have employed a technique known as Real-Time Bidding (RTB), which enables data brokers to intercept advertising auctions, gather geolocation data, and sell it without users’ explicit consent. The problem is exacerbated by the fact that many major app developers may be unaware their platforms are being exploited for data collection.
Previously, the Muslim Pro app, widely used by Muslims, was embroiled in controversy for selling user data to U.S. military contractors. Developers later assured users that such practices had ceased. Meanwhile, Tinder and Grindr have denied any connections to Gravy Analytics.
Experts emphasize that these revelations underscore the urgent need for stricter privacy regulations. While users concerned about surveillance can block ads, the scale of the issue makes effective oversight a formidable challenge.
