Popular apps across Android and iOS platforms are being exploited by advertising industry players to collect sensitive location data on a massive scale, according to recently leaked files from location data company Gravy Analytics.
The affected apps span various categories including gaming, dating, fitness tracking, and religious applications. Major titles like Candy Crush, Tinder, Temple Run, MyFitnessPal, and Muslim prayer apps are among those impacted, potentially exposing millions of users' location data without their knowledge.
The data collection occurs through the advertising ecosystem rather than direct app code, meaning even app developers may be unaware of this surveillance. When companies bid to place ads within apps, data brokers can intercept the process to harvest users' phone locations.
The leaked files reveal tens of millions of mobile phone coordinates from devices across the US, Russia, and Europe. This data can include precise locations and IP addresses, which can be used to track user movements.
"This is a nightmare scenario for privacy," says Zach Edwards, senior threat analyst at cybersecurity firm Silent Push. He notes this appears to be proof of large-scale data collection through advertising systems rather than traditional app-embedded tracking code.
The collected data may ultimately reach government agencies through Venntel, a Gravy Analytics subsidiary that sells location information to organizations like Immigration and Customs Enforcement, FBI, and Drug Enforcement Administration.
Most affected companies deny direct involvement with Gravy Analytics. Tinder stated they have "no relationship with Gravy Analytics," while Flightradar24 acknowledged displaying ads but had never heard of the company.
Users concerned about privacy have limited options for protection, as blocking ads appears to be one of the few ways to prevent this type of tracking. The Federal Trade Commission has recently taken steps to restrict similar data collection practices, but the advertising ecosystem continues to present privacy challenges.
This revelation raises serious questions about data privacy and the role of advertising networks in enabling surveillance without user consent or app developer awareness.