Gravy Analytics Data Leak Expose Alarming Location-Spying Activity

• Location data of millions of users globally is revealed via apps without the consent of users or app makers. 
• Android and iOS apps have ads that stealthily trace precise user locations.
• A hacker on the Russian breach forum XSS threatens to leak IP addresses, profile data, and more.

In a startling revelation, it was found that a location intelligence company, Gravy Analytics, was storing location information from thousands of apps globally. This was done through advertisements that reflected on apps that stored users’ locations. 

Oddly enough, most app companies seemed unaware or oblivious to the location spying activities conducted using their platform. The massive location data infiltration scandal came to light when a hacker posted on the dark web that they stole data from Gravy Analytics. 

Following this, researchers found a post on the Russian cybercrime forum XSS boasting about the data exfiltration from Gravy Analytics. The hacker claimed to have information including but not limited to IP, bssid, email, user agent, and profile.

Reacting to the amassing of location data, the hacker exclaimed, “They are really everywhere, and who supplies them with data.. You can’t even imagine a scheme using front companies…”privacy” reports but with stored, “deleted” or “masked”.”

The hacker threatened to publish the data on XSS within 24 hours if their demands were not met. 

Taking cognizance of the gravity of the location data exposure, several data analysts, and cybersecurity experts jumped to the scene to investigate the truthfulness of the claim. 

They found that the data stored by app stores did not have a time stamp. However, some samples indicated that they were from 2024. The Season 5 iteration of the mobile gaming app Call of Duty, launched in May 2024, was found in the list. 

Upon enquiring, a few of the named companies replied. Muslim Pro denied knowing Gravy Analytics. However, it did mention the need to float ads on apps to keep the service free for users. Likewise, Tinder also denied having heard of Gravy Analytics.

Although it is claimed that the hacker stole the geolocation data from Gravy Analytics, it could not be said with certainty whether it collected or sourced information from its client companies. It is also suspected that threat actors used Google Ads to get location data.

The number of apps named in the location data heist is estimated to be over 12,000. Popular apps include Accu Weather, Super Fast VPN Proxy-Better, Chess, Capcut, Tinder, Moovit, Temple Run, Viber, and MyFitnessPal. 

The list includes apps available on Android and iOS belonging to various categories. A few of them are as follows:

VPN

1. HotspotShield VPN & Wifi Proxy
2. HaloVPN Lite: Fast VPN Proxy
3. Japan VPN
4. Offline: Files, Browser, VPN
5. VPN Expert - Secure VPN Proxy
6. X-VPN Unlimited VPN Proxy
7. Voice VPN - Fast VPN
8. vpnify - Unlimited VPN Proxy
9. SecVPN Proxy Tool
10. VPN - Fast Secure Proxy
11. Free VPN Proxy by Planet VPN
12. VPN - Super Unlimited Proxy
13. U-VPN (Unlimited & Fast VPN)
14. HulaVPN - Fast Secure VPN
15. VPNIFY - Unlimited VPN
16. X-VPN Unlimited VPN Proxy
17. Voice VPN - Fast VPN
18. Rapid VPN - Safe Secure Proxy
19. Turbo VPN Private Browser

Games

1. Run Race 3D — Fun Parkour Game
2. Jigsaw Puzzle
3. LUDO
4. Wood Block Puzzle - Block Game
5. Spider Solitaire: Card Game
6. Acertijo Mental: Brain Games
7. Bubble Boxes - Matching Games
8. Rummy - free card game
9. Life Choices: Simulation Games
10. Daily Bible Trivia: Quiz Games
11. Backpack Brawl
12. Bible Word Cross Puzzle
13. Score! Hero
14. Richie Games - Play & Earn
15. Subway Surfers
16. Solitäre
17. Angry Birds Match 3
18. Bible Verse Collect - Free Bible Word Games
19. Mason Craft
20. Draw Puzzle Line: Brain Games

Health and Fitness

1. LazyShape: Weight Loss at Home
2. Lose Weight App - Fitness
3. Health Recorder - Heart Rate
4. BMI Log
5. Drink Water Reminder & Fasting
6. Lose Weight App - Fitness
7. Blood Pressure - Blood Sugar
8. Blood Sugar
9. Blood Pressure Tracker & Diary
10. Daily Yoga: Fitness+Meditation
11. BP Cozy
12. BP CirculationCheck
13. Natural Remedies: healthy life
14. Healthy Guy
15. Health Kit
16. Health Tracker
17. HeartEntry
18. Period Tracker & Diary
19. Pregnancy Due Date Calculator
20. MMMMental health test

Religion

1. Muslim Pro
2. Religion Inc. God Simulator
3. Bible Verse Collect - Free Bible Word Games
4. MuslimOn: دعاء القرآن الآلي
5. Bible Trivia

Other Apps

1. BABEL: International Chat & Dating
2. BitBible 繁體 (自動讀聖經)
3. Injustice: God Among Us
4. Jackpotland: Casino Slots
5. Java Edition Mod for Minecraft
6. Learn Guitar - Real Tabs
7. Laser for dogs and cats
8. Indian Constitution
9. Haberler.com: Türkiye ve Dünya Gündemi
10. Home Flip
11. Idle Streamer!
12. Home Plumbing System Guide
13. IPTV ZEUS
14. Money Rush
15. Motivational Quotes
16. Messages: Phone SMS Text App
17. MindSync: AI Photo Editor
18. Mp3 Music Download @Downloader
19. My Talking Hello Kitty
20. My Schedule
21. NewsBreak: Local News & Alerts
22. Mp3 Song Downloader App
23. My Diary - Daily Diary Journal
24. MPP - the social predictor
25. Mosquito io
26. Video Downloader for Twitter
27. Find phone by claps
28. Vector
29. Cricball - Sports Live
30. Crypto Miner: Bitcoin Factory
31. Cyber Cleaner
32. Disney Magic Kingdoms
33. Deliveries Package Tracker
34. Poly.AI - Create AI Chat Bot
35. AVG Cleaner – Storage Cleaner
36. Hollywood Story®: Fashion Star
37. Bitcoin Pusher
38. Car Trade Dealership Simulator
39. Live Talk - Live Video Chat
40. SPOX Sportnews
41. Road Trip: Royal merge games
42. FoxFM - File Manager
43. GPS Map Camera: Geo tag Stamps
44. Gallery - Photo Vault
45. File Explorer
46. Driving School 2017
47. ET Markets : Stock Market App
48. Todo List
49. Tata Cara Ruqyah Lengkap
50. かんたんゲームプレイヤー byGMO
51. WSM - Women's Soccer Manager
52. Voice Recorder Pro
53. NDTV News App
54. Sandbox - Physics Simulator
55. KungFu Academy
56. Match Academy : PVP Match3
57. Bus Simulator Indonesia
58. Disney Frozen Free Fall Games
59. US Taxi Car Parking Simulator
60. QR Code & Barcode Reader Plus
61. DWG FastView-CAD Viewer&Editor
62. Police Pursuit
63. iScanner: PDF & OCR Scanner
64. Grindr - Gay chat
65. MetroZone
66. Traffic Buster: Parking Escape
67. Criminal Case
68. Police Car Driving - Motorbike Riding
69. The Weather Network: Local Forecasts & Radar Maps
70. Speed Test & Wifi Analyzer +
71. All Email Connect
72. Document Reader: PDF, Word Doc
73. Supermarket Simulator 3D
74. Robux Easy Scratch
75. Password Master
76. WordBit Tedesco (German for Italian)
77. Public Transport Simulator
78. Wattpad  -  Stories you'll love
79. Remote Play Controller for PS
80. Radio Turkey - FM Radio
81. Rakuten TV- Movies & TV Series
82. EA SPORTS™ UFC® Mobile 2
83. InDating — Dating and Chat
84. Canal Constructor
85. Golf Rival
86. SHAREit: Transfer, Share Files
87. Pixlr – Photo Editor
88. Bitcoin Spin
89. BuzzFeed - Quizzes & News
90. AppLock
91. Driving Zone: Germany
92. CamScanner-PDF Scanner App
93. Times Of India - News Updates
94. Video downloader - Story Saver
95. Portable ORG Keyboard
96. Ynet
97. Quick QR Scan
98. CCleaner – Phone Cleaner
99. King James Bible - Verse+Audio
100. Currency Converter Plus
101. Moovit: Bus & Train Schedules
102. Pixel Art - Color by Number
103. Pi Network
104. My Calendar - Period Tracker
105. Gas Station Idle
106. Airport Security
107. Moneywalk Step Counter&Rewards
108. Snowball.io
109. EMERGENCY HQ: rescue strategy
110. Amerigo File Manager
111. Weather Radar - Meteored News
112. imo-International Calls & Chat
113. Vinted - Buy and sell clothes
114. Happy Color®: Coloring Book
115. CHAM - Meet Random People

The list includes almost all the types of apps an app store could have in different languages, including VPNs that serve the purpose of hiding your online identity. 

It is worth noting that a huge number of the apps were related to games, VPN, and recreation, pointing toward the intent of the culprit, who was looking to trace players across the globe. 

Researchers found millions of mobile phone service coordinates in the U.S., Russia, and Europe.

Gravy Analytics accesses mobile phone location data received from its sources and sells to the US government and other companies. 

In December 2024, the Federal Trade Commission banned a host of companies from accessing user location data. Some of these companies also worked with U.S. law enforcement agencies. The FTC banned Gravy Analytics and Venntel, its subsidiary, from selling, sharing, or accessing location data barring a few circumstances.