This doesn’t look like they hijacked the apps to spy on users’ location. It looks to me like these apps were already illegitimately collecting location data and passing it to Gravy Analytics where it was sold to the highest bidder. If I’m interpreting this article correctly, the hackers only hijacked Gravy Analytics so they could get the location data without paying. The location data was already in the malicious hands of Gravy Analytics.

But it seems rather nebulous. Many of the app developers’ quoted responses in the article seem to be blatant lies, which the article disproves. Many of the app developers deny handing over location data, but do run ads. If those ads execute arbitrary javascript, then IP geolocation is easy. I don’t know how cookies/tracking would work for in-app ads, though.

Short of deleting the offending apps and not using them, how can you protect yourself from the data collection of the app?

There are quite a few apps in there I wasn’t expecting. Guess you just can’t trust proprietary adware, huh.

Crazy. These are the apps that bundle location and network scraping libraries. Those libraries not only gather location data (GPS or network based) but also spy on your surrounding wifis, bluetooth beacons and cell towers.

This allows the distributors to build huge databases that allow to locate things without GPS, just cell networks.

This is actually really useful and I encourage people to help improve this. Use NeoStumbler and collect such data. It is all opensource and will be processed to not allow such tracking. But it will allow geolocation privately, for everyone.

Ironically people are already doing this all the time, and not privately at all.