Warning! Hackers Exploit Candy Crush, Tinder to Spy on Users and Collect Sensitive Data

A recent investigative report by 404 Media has revealed a startling privacy breach involving widely popular mobile apps such as Candy Crush and Tinder. These apps, available across Android and iOS, have been flagged for allegedly collecting sensitive user location data without proper consent.

The collected data has reportedly been traced to Gravy Analytics, a prominent location data broker, whose subsidiary, Venntel, has been linked to selling such information to U.S. law enforcement agencies.

How Hackers Exploit Advertising Ecosystems

The data collection seems to leverage the Real-Time Bidding (RTB) systems used in advertising. Companies bid to display ads within apps, but during this process, entities like Gravy Analytics allegedly intercept and gather user location data, even without the knowledge or involvement of app developers. This lack of transparency leaves users oblivious to their data being harvested.

Expert Opinions on the Data Breach

Zach Edwards, a cybersecurity expert from Silent Push, emphasized the gravity of this revelation, stating:
"This is one of the first instances where the public has clear evidence showing how data brokers are acquiring sensitive user information via advertising bid streams rather than through direct app integration."

Sensitive Data and High-Risk Locations Exposed

The leaked data encompasses over 30 million location points, including areas of high security such as:

• The White House

• The Kremlin

• Vatican City

• Military bases worldwide

The implicated apps span various categories, from gaming and fitness to religious and privacy-centric applications. Popular names include:

• Games: Candy Crush, Subway Surfers, Temple Run

• Dating Apps: Tinder, Grindr

• Health Apps: MyFitnessPal, pregnancy trackers

• Privacy Apps: VPN services

Legal and Regulatory Concerns

This breach comes amid heightened scrutiny from regulatory bodies. The Federal Trade Commission (FTC) has recently imposed a ban on Gravy Analytics and Venntel for unauthorized data sales. The incident underscores the risks of unchecked data misuse through indirect mechanisms like ad bidding systems, even in seemingly secure apps.

How to Protect Your Data on Smartphones

Android Users

• Minimize Permissions: Only grant essential permissions like location or camera access.

• Review App Settings: Check the privacy settings and revoke unnecessary permissions.

iPhone Users

• Enable "Ask Apps Not to Track": Activate this feature post-installation to restrict app tracking.

• Check App Privacy Policies: Understand how your data is used and shared.

Conclusion

The revelation of data collection practices involving popular apps such as Candy Crush and Tinder raises urgent concerns about user privacy and data security. Through Real-Time Bidding systems, location data has been harvested on a massive scale, including sensitive areas like military bases and government buildings.

While the FTC’s actions against Gravy Analytics mark a step forward in addressing such breaches, this incident highlights the persistent risks in today’s digital ecosystem.

Users must remain vigilant by managing app permissions, enabling privacy features, and staying informed about app policies. With increasing dependence on mobile apps, safeguarding personal information has never been more critical. The onus also lies on developers and regulators to ensure robust measures are in place to protect user data from misuse.