Some of the world’s most popular apps are likely being co-opted by rogue members of the advertising industry to harvest sensitive location data on a massive scale, with that data ending up with a location data company whose subsidiary has previously sold global location data to US law enforcement.
一些全球最受欢迎的应用程序可能正在被广告业的流氓分子用来大规模地收集敏感的位置数据，这些数据最终会落到一家位置数据公司手中，该公司的子公司之前曾向美国执法部门出售过全球位置数据。

The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush and dating apps like Tinder to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem—not code developed by the app creators themselves—this data collection is likely happening without users’ or even app developers’ knowledge.
数千款应用程序，包括来自位置数据公司 Gravy Analytics 被黑客入侵的文件中的应用程序，涵盖了从 Candy Crush 等游戏和 Tinder 等约会应用到 Android 和 iOS 上的怀孕跟踪和宗教祈祷应用等各种应用。由于大部分数据收集是通过广告生态系统（而不是应用创建者自己开发的代码）进行的，因此这种数据收集很可能是在用户甚至应用开发人员不知情的情况下进行的。

“For the first time publicly, we seem to have proof that one of the largest data brokers selling to both commercial and government clients appears to be acquiring their data from the online advertising ‘bid stream,’” rather than code embedded into the apps themselves, Zach Edwards, senior threat analyst at cybersecurity firm Silent Push and who has followed the location data industry closely, tells 404 Media after reviewing some of the data.
“Silent Push 的高级威胁分析师扎克·爱德华兹在审查了一些数据后告诉 404 媒体，‘我们似乎首次公开获得证据，证明一家向商业和政府客户出售数据的最大数据经纪公司似乎是从在线广告‘竞价流’中获取数据，’而不是从嵌入应用程序本身的代码中获取数据。”爱德华兹密切关注着位置数据行业。

The data provides a rare glimpse inside the world of real-time bidding (RTB). Historically, location data firms paid app developers to include bundles of code that collected the location data of their users. Many companies have turned instead to sourcing location information through the advertising ecosystem, where companies bid to place ads inside apps. But a side effect is that data brokers can listen in on that process and harvest the location of peoples’ mobile phones.
数据提供了对实时竞价 (RTB) 世界的难得一瞥。 历史上，位置数据公司会向应用程序开发人员付费，让他们包含收集其用户位置数据的代码包。 许多公司已转向通过广告生态系统获取位置信息，在该生态系统中，公司竞标在应用程序中放置广告。 但副作用是数据代理商可以窃听该过程并收集人们手机的位置。

“This is a nightmare scenario for privacy, because not only does this data breach contain data scraped from the RTB systems, but there's some company out there acting like a global honey badger, doing whatever it pleases with every piece of data that comes its way,” Edwards says.
“'这是一个隐私方面的噩梦场景，因为这次数据泄露不仅包含从 RTB 系统中抓取的数据，而且还有一些公司像全球蜜獾一样，随心所欲地处理所有获取到的数据，'爱德华兹说。”

Included in the hacked Gravy data are tens of millions of mobile phone coordinates of devices inside the US, Russia, and Europe. Some of those files also reference an app next to each piece of location data. 404 Media extracted the app names and built a list of mentioned apps.
黑客窃取的 Gravy 数据包含美国、俄罗斯和欧洲内部数千万台移动设备的手机坐标。其中一些文件还在每一位置数据的旁边引用了一个应用程序。404 媒体提取了应用程序名称，并建立了一个提到的应用程序列表。

The list includes dating sites Tinder and Grindr; massive games such as Candy Crush, Temple Run, Subway Surfers, and Harry Potter: Puzzles & Spells; transit app Moovit; My Period Calendar & Tracker, a period-tracking app with more than 10 million downloads; popular fitness app MyFitnessPal; social network Tumblr; Yahoo’s email client; Microsoft’s 365 office app; and flight tracker Flightradar24. The list also mentions multiple religious-focused apps such as Muslim prayer and Christian Bible apps, various pregnancy trackers, and many VPN apps, which some users may download, ironically, in an attempt to protect their privacy.
名单中包括约会网站 Tinder 和 Grindr；大型游戏如 Candy Crush、Temple Run、Subway Surfers 和哈利波特：谜题与咒语；交通应用 Moovit；女性经期记录和追踪应用我的月经日历和追踪器（已下载超过 1000 万次）；热门健身应用 MyFitnessPal；社交网络 Tumblr；雅虎的电子邮件客户端；微软的 365 办公应用；以及航班追踪器 Flightradar24。该名单还提到了多个以宗教为中心的应用，如穆斯林祈祷和基督教圣经应用，各种孕期追踪器，以及许多 VPN 应用，一些用户可能会出于保护隐私的目的而下载这些应用，这真是讽刺。

The full list can be found here. Multiple security researchers have published other lists of apps included in the data, of varying sizes. Our version is relatively larger because it includes both Android and iOS apps, and we decided to keep duplicate instances of the same app that had slight name variations to make it easier for readers to search for apps they have installed.
完整列表可以在此处找到。多名安全研究人员发布了包含在数据中其他应用程序列表，大小各不相同。我们的版本相对较大，因为它包含 Android 和 iOS 应用程序，并且我们决定保留相同应用程序的重复实例（这些实例只有很小的名称差异），以便读者更轻松地搜索他们已安装的应用程序。

Although this dataset came from an apparent hack of Gravy, it is not clear whether Gravy collected this location data itself or sourced it from another company, or which location company ultimately owns it or is licensed to use it.
; 虽然该数据集来自 Gravy 的一次明显的入侵事件，但目前尚不清楚 Gravy 是否是自己收集了这些位置数据，还是从其他公司获取了这些数据，或者最终拥有这些数据的或被授权使用这些数据的位置公司是谁。

Much of the location data attached to these app names does not have a time stamp. But there are indications it dates from 2024. One of the apps listed is Call of Duty: Mobile, and specifically its Season 5 iteration, which launched in May 2024.
这段文本的简体中文翻译为： 大部分与这些应用名称相关的位置数据没有时间戳。但有迹象表明它来自 2024 年。其中一个列出的应用程序是使命召唤：手游，特别是它的第 5 季，该季于 2024 年 5 月发布。

Gravy is a company that powers much of the rest of the location data industry. It collates mobile phone location data from various sources, then sells that to commercial companies or, through its subsidiary Venntel, to US government agencies. Norwegian outlet NRK and I previously revealed the flow of location data from a handful of ordinary apps to Gravy and then to Venntel. Venntel’s clients have included Immigration and Customs Enforcement, Customs and Border Protection, the IRS, the FBI, and the Drug Enforcement Administration.
格雷维公司是大部分位置数据行业的幕后推手。它从各种来源收集手机位置数据，然后将其出售给商业公司，或通过其子公司 Venntel 出售给美国政府机构。挪威媒体 NRK 和我之前曾披露过从少数几个普通应用程序到 Gravy，再到 Venntel 的位置数据流。Venntel 的客户包括移民和海关执法局、海关和边境保护局、美国国税局、联邦调查局和缉毒局。

Venntel has also provided the underlying data for another government-bought surveillance tool called Locate X. 404 Media and a group of other outlets showed last year how that tool, made by a company called Babel Street, could be used to monitor visitors to out-of-state abortion clinics.
维恩特尔还为名为 Locate X 的另一个政府购买的监控工具提供了基础数据。 404 媒体和其他一些媒体去年展示了由一家名为 Babel Street 的公司制造的该工具如何被用来监控州外堕胎诊所的访客。

But the newly hacked data shows for the first time just how many apps could be part of a location data supply chain, even if their developers are not aware of it. Most app developers and companies included in the list did not respond to a request for comment. Flightradar24 said in an email that it had never heard of Gravy, but that it does display ads, which “help keep Flightradar24 free.”
但最新被盗取的數據首次展示出有多少應用程序可能參與了位置數據供應鏈，即使他們的開發者并不知情。大多數應用程序開發者和公司列表中的公司沒有回复置评請求。Flightradar24 在一封电子邮件中表示，该公司从未听说过 Gravy，但确实展示了广告，“这有助于让 Flightradar24 保持免费。”

Tinder said in an email that “Tinder takes safety and security very seriously. We have no relationship with Gravy Analytics and have no evidence that this data was obtained from the Tinder app” but did not answer questions about ads inside the app.
Tinder 在一封电子邮件中说：“Tinder 非常重视安全和安保。我们与 Gravy Analytics 没有任何关系，也没有证据表明这些数据是从 Tinder 应用程序中获取的”，但没有回答有关应用程序内广告的问题。

Muslim Pro, one of the Muslim prayer apps included in the list, said in an email that it was not aware of Gravy. “Yes, we display ads through several ad networks to support the free version of the app. However, as mentioned above, we do not authorize these networks to collect location data of our users,” the email said. That does not necessarily mean that a member of the advertising ecosystem can’t extract such data, though. (In 2020 I revealed Muslim Pro was selling its users’ location data to a company called X-Mode, whose clients included US military contractors; Muslim Pro stopped the practice after my reporting.)
“作为该列表中包含的穆斯林祈祷应用程序之一的 Muslim Pro 在一封电子邮件中表示，它并不知道 Gravy。‘是的，我们通过几个广告网络展示广告来支持应用程序的免费版本。但是，如上所述，我们并未授权这些网络收集我们用户的定位数据，’该邮件称。但这并不一定意味着广告生态系统中的成员无法提取此类数据。（2020 年，我揭露 Muslim Pro 将其用户的定位数据出售给了一家名为 X-Mode 的公司，其客户包括美国军事承包商；在我的报道之后，Muslim Pro 停止了这种做法。）”

A Grindr spokesperson told 404 Media in an email that “Grindr has never worked with or provided data to Gravy Analytics. We do not share data with data aggregators or brokers and have not shared geolocation with ad partners for many years. Transparency is at the core of our privacy program, therefore the third parties and service providers we work with are listed here on our website.” Grindr was previously found to have allowed data brokers to obtain its users’ location data.
Grindr 的一位发言人在给 404 媒体的邮件中表示：“Grindr 从未与 Gravy Analytics 合作或向其提供数据。我们不会与数据聚合者或经纪人共享数据，并且多年来一直没有向广告合作伙伴共享地理位置数据。透明度是我们隐私计划的核心，因此我们在网站上列出了与之合作的第三方和服务提供商。”Grindr 此前被发现允许数据经纪人获取其用户的位置数据。

It’s important that the data appears to be sourced through real-time bidding, because that dictates who is responsible (rogue members of the advertising industry and the tech giants that facilitate that industry), how users can protect themselves (attempting to block ads), and the fact that massive app publishers may not even be aware their users’ data is being harvested and therefore might not know how to stop it. An app developer will know if it implemented location-data-gathering code itself. It might not know that some company, somewhere, is silently listening in on the advertising process and siphoning data from their app.
实时的竞价数据很重要，因为它决定了谁应该对此负责（广告行业的流氓成员和促成该行业的科技巨头），用户如何保护自己（尝试阻止广告），以及大型应用发布商可能甚至不知道其用户的个人数据正在被收集，因此可能不知道如何阻止它。应用程序开发人员会知道它是否自己实现了位置数据收集代码。它可能不知道某个公司在某个地方静默监听广告过程并从其应用程序中窃取数据。

Surveillance firms can obtain RTB data by acquiring ad tech companies and posing as prospective advertisers. The spy-run location data company doesn’t need to successfully place an ad; instead, it is able to gather data on devices by simply being plugged into that industry. Location data in this case can also include a users’ IP address, which is then geolocated to give their coarse location.
监控公司可以通过收购广告技术公司并假扮成潜在广告客户来获取 RTB 数据。间谍运营的位置数据公司不需要成功地投放广告；相反，它能够仅仅通过接入该行业来收集设备数据。在这种情况下，位置数据还可以包括用户的 IP 地址，然后对其进行地理定位以提供其粗略位置。

Last January, 404 Media reported on an Israeli surveillance company called Patternz, which was sourcing masses of location data through the RTB process.
一月份，404 Media 报道了一家名为 Patternz 的以色列监视公司，该公司正在利用 RTB 流程获取大量位置数据。

In an exposed training video, Patternz showed some of the popular apps it got location data from: 9GAG, Kik, sports app FUTBIN, caller ID apps such as CallApp and Truecaller; and various word, sudoku, and solitaire puzzle games. Every one of these apps are also in the Gravy data. This suggests that Gravy, or wherever Gravy got that data from, also sourced it from interacting with the advertising system rather than location-tracking code baked into the apps.
在一段公开的培训视频中，Patternz 展示了一些它从中获取位置数据的热门应用程序：9GAG、Kik、体育应用程序 FUTBIN、来电 ID 应用程序（如 CallApp 和 Truecaller）以及各种单词、数独和纸牌谜题游戏。这些应用程序也都在 Gravy 数据中。这意味着 Gravy 或者 Gravy 从中获取数据的任何地方也都是通过与广告系统进行交互而不是应用程序中内置的定位跟踪代码来获取数据的。

404 Media shared some of the location data with another security researcher with knowledge of the advertising and location data industries. “It appears that at least some of this data would likely have been sourced from advertising related, real-time bidding,” Krzysztof Franaszek, founder of Adalytics, a digital forensics firm, told 404 Media after reviewing the data. He pointed out some of the user-agents in the file, which show how a user’s device connected to a service, referenced “afma-sdk.” That is a string used by Google’s Mobile Ads SDK (software development kit). In other words, in some cases, it is Google’s advertising platform that is delivering the ads that are eventually leading to this tracking by outside companies and potentially government contractors.
404 媒体将部分位置数据分享给了另一位熟悉广告和位置数据行业的网络安全研究人员。数字取证公司 Adalytics 创始人 Krzysztof Franaszek 在查看数据后告诉 404 媒体：“看起来，其中至少部分数据很可能来自与广告相关的实时竞价。” 他指出，文件中的一些用户代理指向了用户的设备如何连接到一项服务的，引用了“afma-sdk”。这是 Google 的移动广告 SDK（软件开发工具包）使用的一个字符串。换句话说，在某些情况下，是 Google 的广告平台在投放最终导致外部公司和潜在的政府承包商进行跟踪的广告。

Google did not respond to multiple requests for comment for this article. Neither did Apple.
谷歌和苹果公司都没有回应本文多次置评请求。

Franaszek also says that “a significant amount of this geolocation dataset appears to be inferred by IP address to geolocation lookups, meaning the vendor or their source is deriving the user's geolocation by checking their IP address rather than by using GNSS [Global Navigation Satellite System]/GPS data. That would suggest that the data is not being sourced entirely from a location data SDK.”
Franaszek 还表示，“这部分地理位置数据集似乎很大一部分是通过 IP 地址反查推断出来的，这意味着供应商或其来源是通过检查用户的 IP 地址来获取用户的地理位置，而不是通过 GNSS [全球导航卫星系统]/GPS 数据获得。这表明数据并非完全来自位置数据 SDK。”

“What we’re seeing here in this data appears to me to be a huge diversity of apps,” Edwards says. “That’s not what you see from an SDK ingestion; that’s what you see from bulk RTB ingestions.”
爱德华兹说：“我们在这些数据中看到的是各种各样的应用程序。”“这与你从 SDK 获取到的东西不同；这与你从批量 RTB 获取到的东西相同。”

In December the Federal Trade Commission banned another location data company called Mobilewalla from collecting consumer data “from online advertising auctions for purposes other than participating in those auctions.” In other words, the agency banned Mobilewalla from participating in the RTB process for building datasets on peoples’ devices. The FTC also said Venntel and Gravy collected data without obtaining user consent, ordered the company to delete historical location data, and banned it from selling data related to sensitive areas like health clinics and places of worship, except in “limited circumstances” involving national security or law enforcement.
在 12 月，美国联邦贸易委员会禁止另一家名为 Mobilewalla 的定位数据公司从“在线广告拍卖中出于参与拍卖以外的目的”收集消费者数据。换句话说，该机构禁止 Mobilewalla 参与 RTB 流程以构建人们设备上的数据集。FTC 还表示 Venntel 和 Gravy 在未经用户同意的情况下收集数据，并命令该公司删除历史位置数据，并禁止其出售与敏感区域（如健康诊所和礼拜场所）相关的数据，除非涉及国家安全或执法的“有限情况”。

404 Media has verified the hacked Gravy data in various ways. Some files include credentials for Gravy’s Snowflake instances, a data warehousing tool. 404 Media checked that the URLs in the hacked files do correspond to real Snowflake instances. One file called “users” contains a long list of companies. Some of these firms denied having any relationship with Gravy; Cuebiq, another location data firm mentioned in the file, told 404 Media it “routinely evaluates available data in the market to determine if they are an appropriate fit for our business. Most do not make it past the evaluation stage to production, as was the case here. Cuebiq tested a limited data sample, which was never made available to our customers, and the data was deleted at the end of the limited trial.”
404 Media 已通过多种方式验证了被黑客窃取的 Gravy 数据。一些文件包含 Gravy 的 Snowflake 实例（一种数据仓库工具）的凭据。404 Media 检查了被黑客窃取的文件中的 URL 是否确实对应于真实的 Snowflake 实例。一个名为“users”的文件包含了大量公司的列表。其中一些公司否认与 Gravy 有任何关系；Cuebiq 是一家在该文件中提到的另一家位置数据公司，它告诉 404 Media，“我们通常会评估市场上可用的数据，以确定它们是否适合我们的业务。大多数数据在评估阶段就被淘汰，无法进入生产环节，本次事件也是如此。Cuebiq 测试了有限的数据样本，这些数据从未提供给我们的客户，并在测试结束后被删除。”

404 Media also sent a section of the data to another data broker called Datonics. “We investigated the matter described in your email, and the segment IDs in those files are those of Gravy, not Datonics,” the company said in an email.
404 Media 也将部分数据发送给另一家数据经纪商 Datonics。该公司在一封电子邮件中表示：“我们调查了你邮件中描述的问题，这些文件中的细分 ID 属于 Gravy，而不是 Datonics。”

Unacast, which merged with Gravy in 2023, did not respond to multiple requests for comment, both on the hack and whether it or any of its suppliers have derived location data from the real-time bidding process.
Unacast（于 2023 年与 Gravy 合并）没有回应记者的多次置评请求，包括对其被黑客攻击事件以及它或其任何供应商是否从实时竞价流程中获取位置数据的问题。